Posts by cereal

Davy:

1. are you able to directly open this link?
2. do you experience this problem just with these two controllers or it is a common issue to all controllers?

I see you're using a different link now:

/ci/caddLatihan/

If your CI installation is inside /ci/ then you should edit your .htaccess files in order to reflect the path.

It could be, do:

ls -lh /mnt
ls -lh /mnt/storage
ls -lh /mnt/storage/uploads

And return the output for each command. Question: the web server is chrooted?

Ok,

regarding the Alias directive, did you created the correct setup with a Directory directive as suggested by the documentation?

In particular, if you are creating an Alias to a directory outside of your DocumentRoot, you may need to explicitly permit access to the target directory.

Alias /uploads /mnt/storage/uploads/
<Directory /mnt/storage/uploads/>
    Require all granted
</Directory>

In case you're NOT using Apache ver.2.4, then replace Require all granted with:

Order allow,deny
Allow from all

And refer to the Apache documentation for your current version. This should fix the first error.

Also, try:

sudo chown -R www-data:www-data /mnt/storage/uploads/
sudo chmod -R 755 /mnt/storage/uploads/

The -R flag will apply the rule to all subdirectories and files in the defined path. If it does not work extend it to the group: 775. Check also the permissions of the mount point, i.e. storage, when you re-mount the permission could change and deny the access.

Use an absolute path to define the destination directory, then test and check Apache & PHP error logs, it should return the reason: permissions, wrong destination or something else. In case of problems, return the error information and possibly, as suggested previously, your script.

My previous definition wasn't exact, my fault: you don't have to change the path for the clients, they will not spot any change, but you have to modify the destination path for the upload script.

Hi, try:

<?php

    class One{
        public $a;
    }

    $b = 'Hello';
    $test = new One;
    $test->a = $b;

    echo $test->a;

For more information read about the visibility of class properties:

• http://php.net/manual/en/language.oop5.visibility.php

does it shows the full path for file

No, the aliased path will not be directly accessible or visible so, only /uploads/file.ext will be visible to clients. There are some constraints, so read the documentation carefully.

Also explain the reason, because you could simply use the Alias directive to point the external directory to clients:

Alias /uploads /etc/mnt/storage/uploads

that way you don't have to alter your scripts, but if your boss decision was taken for security reasons, then Alias is the wrong solution.

If you can use the command line then use ffmpeg with the -vframes option, example here:

• https://trac.ffmpeg.org/wiki/Create%20a%20thumbnail%20image%20every%20X%20seconds%20of%20the%20video

Through PHP you can use exec() or you can use this PHP-FFMpeg that supports -vframes

• https://github.com/PHP-FFMpeg/PHP-FFMpeg
• https://github.com/PHP-FFMpeg/PHP-FFMpeg/blob/6e3134e4ecc96852b1205e6c88ceffdb8cf17d34/src/FFMpeg/Media/Frame.php#L77

SUM() is a function of the GROUP BY clause, so, in order to get correct results you have to add a group by statement to your query, otherwise:

If you use a group function in a statement containing no GROUP BY clause, it is equivalent to grouping on all rows. For more information, see Section 12.19.3, “MySQL Handling of GROUP BY”.

More info:

• http://dev.mysql.com/doc/refman/5.6/en/group-by-functions.html

Hi,

maybe you have multiple file type fields in your page? Try by identifying the field by the ID attribute, for example:

// by default, submit is disabled
$("#submit").attr("disabled", "true");

$("#upload").on('change', function(){

    var val = $(this).val().toLowerCase();

    if(!val)
    {
        alert('upload your photo');
        $(this).focus();
        $("#submit").attr("disabled", "true");
        return false;
    }

    else
    {
        var regex = new RegExp("(.*?)\\.(jpg|jpeg|txt|png|docx|gif|doc|pdf|xml|bmp|ppt|xls)$");
        if (!(regex.test(val))) {
            $(this).val('');
            alert('Unsupported file');
        }

        $("#submit").removeAttr("disabled");
    }

});

Live example: http://jsfiddle.net/ms4grpxc/

By the way, you needed to escape correctly the backslash that starts the regular expression. If you add the id="submit" to the upload button you can disable the upload, but the above solution is not safe for two reasons:

1. javascript can always be disabled, even if the upload is restricted to AJAX, an XHR can be emulated;
2. a user can upload a double extension file: file.txt.php will not pass, but file.php.txt yes and if your server web, for example Apache, is not configured correctly, then it will execute the file like a PHP script.

Regarding this security issue read about the SetHandler vs AddHandler directives:

• https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#SetHandler
• http://httpd.apache.org/docs/2.4/mod/core.html#sethandler
• http://httpd.apache.org/docs/2.4/mod/mod_mime.html#addhandler
• http://php.net/manual/en/install.unix.apache2.php#example-19 (item 8)

Hi!

Each field name of the form must be an array, so for example, change:

<select id="field-BX_height" name="BX_height">

To:

<select id="field-BX_height" name="BX_height[]">

As you are already doing with BX_NAME[], apply the same concept to height and weight and then it should work fine.

I see, thanks for sharing your solution! Besides my regular expression pattern was wrong, sorry for that... here's an updated version to match only \n:

$pattern = '/^([\\\\]?n|[\n])(.*)+$/';

This will catch the line feed and the \n when single quoted, in fact if you do:

$a = '\n';
echo ord($a);

You get 92 instead of 10, because it matches just the backslash. The above expression instead searches for both situations, here's a new example:

<?php

    $array = array(
        array('C1TEXT' => 'test'),
        array('C1TEXT' => '\nb'),       # single quotes
        array('C1TEXT' => "\na"),       # double quotes
        array('C1TEXT' => '\r'),
        array('C1TEXT' => '0003'),
    );

    foreach($array as $list => $lvalue)
    {
        foreach($lvalue as $key => $value)
        {
            preg_match('/^([\\\\]?n|[\n])(.*)+$/', $value, $match);
            if($match)
                unset($array[$list]);               
        }
    }

    print_r(array_merge($array));

The ending array_merge() will reindex the array and outputs:

Array
(
    [0] => Array
        (
            [C1TEXT] => test
        )

    [1] => Array
        (
            [C1TEXT] => \r
        )

    [2] => Array
        (
            [C1TEXT] => 0003
        )

)

Doing a one more step, you can use the pattern to match the carriage return, as for the line feed echo ord('\r') returns 92 instead of 13, but you can do a switch to catch the second character, i.e. r, for example:

foreach($array as $list => $lvalue)
{
    foreach($lvalue as $key => $value)
    {
        preg_match('/^([\\\\]?(n|r)|[\n|\r])(.*)+$/', $value, $match);

        if($match)
            switch(ord($match[2]))
            {
                # n
                case 110:

                # "\n" assumes 0 because:
                # $match[0] & [1] will return 10 and
                # $match[2] will be empty
                case 0:
                    unset($array[$list]);
                    break;

                # r
                case 114: …

The function array_walk_recursive will set the index key as second argument of the mapped function, the third argument will be the third of the function, since ltrim takes only two arguments it's better to define a custom function.

Now, the main problem is that array_walk_* cannot modify the structure of the array, so you cannot unset an index from the array, but you can change a value, in order to do this you must not return but simply set the value, basically:

function a(&$value, $key, $options)
{
    if(... condition ...)
        $value = '';
}

Note the reference &$value, otherwise the change is not registered by the original array.

The other problem is represented by the quotes, if in the array \n is surrounded by single quotes, then it is not consider a line feed character, but two separated characters, if instead you use double quotes you have a line feed:

$a = '\n';    # two chars
$b = "\n";    # line feed

Now, you can use a regular expression to match both cases, a pattern like this '/[\n\-n](.*)+$/' should work, and this is the full example:

<?php

    function _ltrim(&$value, $key)
    {
        preg_match('/[\n\-n](.*)+$/', $value, $match);
        if($match)
            $value = '';
    }

    $array = array(
        array('C1TEXT' => 'test'),
        array('C1TEXT' => '\n'),    # single quotes
        array('C1TEXT' => "\n"),    # double quotes
        array('C1TEXT' => '\r'),
        array('C1TEXT' => '0003'),
        );

    array_walk_recursive($array, '_ltrim');
    print print_r($array) . PHP_EOL;

It will output:

Array
(
    [0] => Array
        (
            [C1TEXT] => test
        )

    [1] => Array
        ( …

Ok, there is an API key for server applications and another for browser applications, with the Javascript Google Maps API, you must use the browser applications API Key.

Can you play the example code with your key?

<!DOCTYPE html>
<html>
    <head>
        <style type="text/css">
            html, body, #map-canvas { height: 100%; margin: 0; padding: 0;}
        </style>
        <script type="text/javascript"
        src="https://maps.googleapis.com/maps/api/js?key=API_KEY">
        </script>
        <script type="text/javascript">
            function initialize() {
                var mapOptions = {
                    center: { lat: -34.397, lng: 150.644},
                    zoom: 8
                };

                var map = new google.maps.Map(document.getElementById('map-canvas'), mapOptions);
            }

            google.maps.event.addDomListener(window, 'load', initialize);
        </script>
    </head>
    <body>

        <div id="map-canvas"></div>

    </body>
</html>

If you replace API_KEY with yours, you should be able to see the activity usage in the Google Developers Console.

If this does not help you, then please share an example that reproduces your issue.

@cilla I believe it also, for this reason I wrote:

at first I thought your was a simple edit to cover your credentials...

since English is not my main language, and being in doubt, I prefer to make an obvious observation. Thanks for the clarification :)

Would those be in the same file or separate?

You can use both methods, by default the Windows setup will use a single file, httpd-vhosts.conf, as defined by httpd.conf. But you can change the statement to include any .conf file in the defined directory, for example:

IncludeOptional conf/sites-enabled/*.conf

Hmm, not that I'm aware of, but I haven't a good knowledge of Apache Windows setups, in linux each VirtualHost needs a specific DocumentRoot and a matching Directory, used to override the main configuration httpd.conf, basically:

<VirtualHost *:80>

    ServerName my.test.dev
    DocumentRoot /var/www/test.dev

    <Directory /var/www/test.dev>
        # rules
    </Directory>

</VirtuaHost>

Then try empty():

if( ! empty($trans_autista) && ! empty($cat))
{
    # execute query
}

This will match null, false and empty strings: http://php.net/empty

But be careful: empty() will match also 0, so if you have a category 0 the condition will fail.

By the way, the insert query does not support the WHERE statements, you can do it by inserting the subquery in the first SELECT:

INSERT INTO trans_autista (autista, ditta) SELECT '$trans_autista', '$cat' FROM dual WHERE NOT EXISTS (select autista FROM trans_autista WHERE autista = '$trans_autista' AND ditta = '$cat') limit 1;

And it should work.

Hi,

If you are referring to the value of the variables then check it before executing the query:

if( ! is_null($trans_autista) && ! is_null($cat))
{
    # execute query
}

If instead you are referring to the table rows, then create a unique index of autista and ditta columns. And then use INSERT IGNORE ...

• http://dev.mysql.com/doc/refman/5.6/en/insert.html

It happens because the query returns FALSE instead of returning a result set, there is an error in your query, try to add the quotes around $name:

... category = '$name' ...

But you should really switch to prepared statements:

• http://php.net/mysqlinfo.api.choosing
• http://php.net/manual/en/pdo.prepared-statements.php
• http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

It means you're using version 1.7.2?

My opinion: since you're using CI it is highly convenient to switch to the last version, there are not much changes to do to controllers and models except adding the prefix CI_. Between 1.7.* and 2.2.* there is a huge list of improvements and bug fixes.

Here's the changelog:

• http://www.codeigniter.com/user_guide/changelog.html

If you were using something else, lets say Laravel 3.* then I would understand your point, the latest versions are really something else, not compatible at all.

/opinion

Now, regarding your problem I can only suggest to check if file name for this controller has the underscore and it's all lowercase, if this does not help, then try to remove the underscore from the file name and from the class name. Or simply try to replace this file with a new one.

Hi,

you can set only one thead for each table, here you're setting two of them, and the number of columns must match those in the tbody block. You can set multiple tbody blocks, for example you can create a tbody block to emulate the second header. Otherwise you have to create two separated tables.

Really basic code looks like:

<table>

    <thead>
        <th></th>
        <th></th>
        <th></th>

    <!-- sub header -->
    <tbody>
        <tr>
            <td></td>
            <td></td>
            <td></td>
        </tr>

    <!-- data here -->
    <tbody>
        <tr>
            <td></td>
            <td></td>
            <td></td>
        </tr>

    <tfoot>
        <tr>
            <td></td>
            <td></td>
            <td></td>
        </tr>

</table>        

Here's an example with two tbody blocks and arrays as dataset:

• http://runnable.com/VOpxLG63DPJguKhh/table-example-for-php

Just click Run to see the execution of the code. You can edit it, just be aware that in the next few hours (8pm PST) Runnable is going in maintainance mode, so any eventual draft you create will be deleted.

Besides your link is broken, is missing the .com.

Ops! There's still an error, change:

class Cadd_latihan extends Controller

To:

class Cadd_latihan extends CI_Controller

Since there were suggested few solutions... here's mine :p

Use CJS or GreaseMonkey (TamperMonkey in Firefox) extension to embed a tiny javascript:

Target = document.getElementsByClassName("post-first")[0];
Target.className="margin-bottom clear";

It removes .post-first from the DOM and returns the standard styling for the first post. I find it really difficult to read all text in bold.

@Dany could you limit the new styling only to not logged users?

If you write:

onClick="parent.location='cadd_latihan/'"

your link is relative to the page in which this is clicked, so if you open it in /home/ the client asks for /home/cadd_latihan/, if you click it in /contact/ the client asks for /contact/cadd_latihan/. To fix it, add a leading slash to the url and it should work:

onClick="parent.location='/cadd_latihan/'"

You're inserting $id directly in the prepared statement, use the array in the execute method:

$stmt = $pdo->prepare("UPDATE van SET `position` = @a:= @a + 1 WHERE day = ?");
$stmt->execute(array($id));

This should fix the issue.

You're welcome!

I would try to change the database configuration values, line per line, and verifying if there are some changes. In particular I would focus on these lines:

$active_record = TRUE;

$db['default']['username'] = '$username';
$db['default']['password'] = '$password';

$db['default']['port']     = '3306';

$db['default']['dbdriver'] = 'mysql';

In order: try to set active record to FALSE, be sure that username and password are correctly set, right now with single quotes PHP will send literally $username & $password, not the assigned values, to send those you have to use double quotes:

$db['default']['username'] = "$username";
$db['default']['password'] = "$password";

Or simply remove them:

$db['default']['username'] = $username;
$db['default']['password'] = $password;

Not sure the issue is this, but it could be, at first I thought your was a simple edit to cover your credentials...

Be sure the database is listening port 3306 and that is not served through a local socket.

Regarding the driver, instead, you could try by setting mysqli or pdo and see what it happens.

What's your purpouse? You cannot access the client path of an uploaded file, because the browser operates in a sandbox and will send only the file and the name.

If instead you simply want a link, then you cannot use the file input control, use text or if using HTML5, url:

<input type="text" name="link" />
<input type="url" name="link" />

the only difference between the two is the user experience, Google Chrome, for example, will require the user to type an url provided by the protocol, for example: http://, ftp://, file://.

More information here: http://diveintohtml5.info/forms.html

Hi,

do you have some sort of referer filter that could block the access from your company network? Are you using access control directives to block an IP range or some specific user agents?

If not, then ask the hosting company if they banned your IPs from their network.

Ok, this seems to be the httpd.conf file not a VirtualHost config. Anyway, when you set the DocumentRoot you must set a Directory directive to setup the matching path that will store the website files, the values of both directives must match:

DocumentRoot "E:/public_html/SiteName"
<Directory "E:/public_html/SiteName">

So the configuration should look like this:

DocumentRoot "E:/public_html/SiteName"
<Directory "E:/public_html/SiteName">

    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    #AllowOverride None
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all
</Directory>

Once you make a change remember to reload the server, otherwise it will continue to use the old configuration values.

Side note - Apache 2.4 introduced some changes regarding access control and other features:

• http://httpd.apache.org/docs/trunk/upgrading.html
• http://httpd.apache.org/docs/2.4/howto/access.html

Ok WordPress doesn't require that config, so it must be something with the virtualhost configuration, can you share it? Besides have you added index.php to the DirectoryIndex directive?

Docs: http://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex

Ok, are you trying to install custom code? Sometimes the DocumentRoot should be something like:

E:/public_html/SiteName/public

It happens, for example, with Laravel and other frameworks or CMS systems: in the parent directory (i.e. E:/public_html/SiteName) you install the application and the core data, in the DocumentRoot (i.e. E:/public_html/SiteName/public) just the index page and the assets.

When the required setup is like the above then you experience this kind of issues.

By using PDO you can execute two prepared statements, for example:

<?php

    try {
        $pdo = new PDO("mysql:dbname=db", "user", "pass");
    }

    catch (PDOException $e) {
        die('Connection failed: ' . $e->getMessage());
    }

    $value1 = 10;
    $value2 = 2;

    $stmt = $pdo->prepare("SET @a = ?");
    $stmt->execute(array($value1));

    $stmt = $pdo->prepare("UPDATE van SET position = @a:= @a + 1 where day = ?");
    $stmt->execute(array($value2));

But if you do not need @a somewhere else, then you can execute one single query:

    $stmt = $pdo->prepare("UPDATE van SET position = ? + 1 where day = ?");
    $stmt->execute(array($value1, $value2));

Hi,
let me understand, you get two arrays from a form, for example:

$a = [1,2,3,4,5];
$b = [10,11,12,13,14];

Then you combine them to have $a as keys and $b as values and finally you loop them and use each pair as WHERE conditions in your update queries.

So what's the exact problem? Could you provide some example arrays and desired output? Also, how do you define the $count variable?

Have you set the DocumentRoot with the correct path? Consider this must be an absolute path. More information here:

• http://httpd.apache.org/docs/current/mod/core.html#documentroot

Hi,

not tested, but according to the library, dompdf works in a chroot so it will not consider files outside of his path, this is defined here:

/**
 * ==== IMPORTANT ====
 *
 * dompdf's "chroot": Prevents dompdf from accessing
 * system files or other files on the webserver.
 * All local files opened by dompdf must be in a subdirectory
 * of this directory.
 * DO NOT set it to '/' since this could allow an attacker
 * to use dompdf to read any files on the server. This
 * should be an absolute path.
 * This is only checked on command line call by dompdf.php,
 * but not by direct class use like:
 * $dompdf = new DOMPDF();
 * $dompdf->load_html($htmldata);
 * $dompdf->render();
 * $pdfdata = $dompdf->output();
 */
def("DOMPDF_CHROOT", realpath(DOMPDF_DIR));

• https://github.com/aiwmedia/HTML2PDF-CI/blob/master/application/libraries/dompdf/dompdf_config.inc.php#L145

To solve you can move the images to the dompdf root, or to the temp directory, which is defined here:

def("DOMPDF_TEMP_DIR", sys_get_temp_dir());

You can edit the dompdf_config.custom.inc.php file and set your own temp directory, just uncomment the following line:

//define("DOMPDF_TEMP_DIR", "/tmp");

And set an absolute path, for example:

define("DOMPDF_TEMP_DIR", $_SERVER["DOCUMENT_ROOT"]."/images/");

Another solution is to set DOMPDF_ENABLE_REMOTE to TRUE, by default is not active:

def("DOMPDF_ENABLE_REMOTE", false);

With this enabled you can use remote files, so you just need to use absolute links to define the image resource, in practice:

<img src="http://www.mywebsite.tld/images/photo001.jpg" />

Instead of simply:

<img src="/images/photo001.jpg" />

If you still do not solve the problem, share …

The first error happens because the throwExceptionOnError() method is missing from your class. Regarding the second warning, as explained by the message: define the default timezone in your php.ini file or use:

date_default_timezone_set('UTC');

More information here:

• http://php.net/manual/en/timezones.php
• http://php.net/manual/en/function.date-default-timezone-set.php

By the way, the following class seems to match your constructor code, as you see, at the end of the file, there is also the missing method:

• https://searchcode.com/codesearch/view/74157627/

If you still don't solve then share your full class.

Check also the Mozilla Developer Network: https://developer.mozilla.org/en-US/

In particular read their HTML[5], CSS and Javascript sections.

MySQL can store up to 16TB per table, but it depends on OS/filesystem in use, with linux the limit is 4TB per table, source:

• http://dev.mysql.com/doc/refman/5.6/en/table-size-limit.html

MSSQL seems capable of 16TB:

• https://msdn.microsoft.com/en-us/library/ms143432.aspx

I will add PostgreSQL to the comparison, which can handle up to 32TB per table:

• http://www.postgresql.org/about/

Hi, have you asked support to the AVS helpdesk?

Seems fine, go to

C:\xampp\htdocs\Bonfire-master\bonfire\codeigniter\database\drivers\mysql\mysql_driver.php

Line 73, method db_connect(), you find:

return @mysql_connect($this->hostname, $this->username, $this->password, TRUE);

change it, temporarly for this issue, to:

return mysql_connect($this->hostname, $this->username, $this->password, TRUE) or die(mysql_error());

And then reload the page, you should see the real error that makes the connection fail.

By the way, in order to complete the setup process in Bonfire, you have to copy the database.php file into the development directory, so copy:

bonfire/application/config/database.php

To:

bonfire/application/config/development/

Just copy, do not move it. Bye!

Your configuration works fine for me, just make sure to enable all the modules requested by this procedure, I did a fresh install of Apache and I had to enable these modules:

• session
• session_cookie
• session_crypto
• request
• auth_form

After that everything worked fine. For example by using AuthFormProvider file Apache requires the authn_file module which is usually enabled by default, but make sure it is on.

Hi,

your configuration seems fine, but try to remove the mod_auth_form directives from the .htaccess file, most of these can be applied only to directory context, not in .htaccess:

• http://httpd.apache.org/docs/2.4/mod/mod_auth_form.html

Also, did you encoded the passwords in the AuthUserFile with htpasswd? Docs:

• http://httpd.apache.org/docs/current/mod/mod_authn_file.html

Ok, I see the problem, in the update query that starts at line 25 you have this:

interests       = '".$_POST['interests']."' ,

If $_POST['interests'] was a string then this would work fine, but it's an array, so you have to implode it:

$interests = implode(',', $_POST['interests']);

Then the update query will save the values:

interests       = '".$interests."' ,

Then, when you retrieve the results from user_info table and save them into $fetch_info, you can decide to display them directly as comma separated values, or you explode them:

$interests = explode(',', $fetch_info['interests']);

So you can now loop the array:

echo "<ul>";
foreach($interests as $interest)
{
    echo "<li>$interest</li>";
}
echo "</ul>";

Oh, regarding your queries you should really use prepared statements, at the moment your queries can be manipulated through SQL injections, read about PDO or MySQLi:

• http://php.net/mysqlinfo.api.choosing

Consider also filter_input() to sanitize and validate the input you receive from users, never trust what is sent from clients:

• http://php.net/manual/en/function.filter-input.php
• http://php.net/manual/en/book.filter.php

Hope it helps, bye!

This because at the moment you're just looping the received array, I don't see any variable that could return a database result set. Can you show how you build the WHERE conditions and the final query?

Yes, but if you can give more details we can suggest proper solutions... just to consider a possible scenario: if these are going to be used in a search query you can convert them into a CSV string and use the MySQL FIND_IN_SET() function:

• http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_find-in-set

For example:

<?php

$pdo    = new PDO('dsn', 'user', 'pass');
$items  = implode(',', $_POST['items']);
$stmt   = $pdo->prepare("SELECT * FROM records WHERE FIND_IN_SET(id, ?)");

$stmt->execute([$items]);
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);

print_r($result);

About PDO:

• http://php.net/manual/en/pdostatement.execute.php
• http://php.net/manual/en/pdostatement.fetchall.php

If referring to filter_input() this is not custom, it's part of PHP:

• http://php.net/manual/en/function.filter-input.php

and it's ok, even submitting something like 10 OR 1=1 the filter will sanitize it to 1011. But keep in mind that it doesn't affects $_GET, $_POST and $_REQUEST, so never do:

$record = filter_input(INPUT_GET, 'recordID', FILTER_SANITIZE_NUMBER_INT);

if($record)
    echo $_GET['recordID']; # <- not good

Because it will output the unsanitized data. In any case, if you're going to use this input in a query, then use prepared statements.

Hi,

try to understand how the infection was accomplished, if by using a compromised FTP account (check server logs, change passwords, secure client machines) or because of a code bug, in this last case there's a lot of documentation you can read:

• http://php.net/manual/en/security.php
• http://phpsec.org/projects/guide/
• https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
• http://phpsecurity.readthedocs.org/en/latest/

Then if you have some doubts about specific procedures show us some example codes.

its fixed but the images are blur. its a transperancy thing?

Hmm, it depends which kind of image format you are using, PNG supports the alpha channel (i.e. transparency), JPEG no.

Also it depends on the original quality of the image, the amount of manipulations done, for example from jpeg to jpeg there is a constant loss of information, then the colorspace and the filter applied to the resize can help a lot, as also the unsharp method. With Imagemagick you can control colorspace, filters and the sharpness.

In practice you have to do some tests to create the best setup for the kind of images you're going to resize. For more information about filters, colorspace and sharpness read:

• http://www.alundgren.se/2011/01/24/imagick-resize-filter-comparison-using-php/
• https://even.li/imagemagick-sharp-web-sized-photographs/
• http://php.net/manual/en/imagick.constants.php#imagick.constants.filters
• http://php.net/manual/en/imagick.unsharpmaskimage.php#89160

Not directly related to PHP:

• http://www.imagemagick.org/Usage/filter/#summery
• http://www.imagemagick.org/Usage/resize/#resize_unsharp
• http://www.imagemagick.org/Usage/convolve/#unsharpen
• http://www.imagemagick.org/Usage/convolve/#sharpening

and i am figuring that if i create three different folders (400X400, 150X150, THUMB) that will take space in the server right?

Yes, it can take space when you start to handle thousands of files, but it's worth to pre-process them because:

1. image resizing is one of the most intensive tasks for web servers, if you have many users at the same time then the server can start to swap;
2. your method implies to save the original uploaded file, which can reach the limit: for example 2MB. The three (400x400, 150x150, 50x50) resized images, instead, will …

Ok, the above code seems fine to me.

Regarding your link, I see some PNG blob data injected directly in the source of the HTML page, so there's must be something else going on, which is probably related by the include of this script:

include('imagemagick.php'); 

If the above is this:

• https://www.daniweb.com/web-development/php/threads/491195/how-to-resize-images-in-php#post2149338

then you don't need it and you can remove it safely, that's just an example. And a part that, in the source, I can see the blocks generated by your script:

<a class="show-all-audio" href="#show-all-audio748" style="cursor:pointer" id="show_all_audio">
<img src="http://www.rovespier.com/uploads/thumbs/142271296722.gif" class="small_icon" original-title="hjhhj">
</a>

So, this part seems to work fine to me. Just a note: if this is a display page, then you should not resize the images each time, it's a resource intensive task, you should resize them during the upload progress and then simply link them.