Posts by cereal

Check the value of LimitRequestBody in the Apache configuration file, every request larger than this limit will be blocked, PHP will not even reply. After you adjust the value reload Apache, otherwise the change will not apply.

Docs: http://httpd.apache.org/docs/current/mod/core.html#limitrequestbody

By the way: if you check the response headers to the upload request, when hitting the server limits you should receive the 413 - Request entity too large error, so as previously suggested the error and access logs of Apache can be usefuls sources to track down the error.

You're welcome! You can use the same column name, but you need to prepend the table name or his alias, or you have to change the query: the database engine cannot decide which column you're referring to. Check the documentation about this error and the proposed resolutions:

• http://dev.mysql.com/doc/refman/5.6/en/error-messages-server.html#error_er_non_uniq_error

Add one of the table aliases to the column, so:

WHERE br.patron_ID = '$patron_ID'";

The error happens because your using two tables with the same column name.

Are you trying to remove the page argument through javascript because you've previously added it through javascript?

I repeat: can you show us how you implement the pagination? Better: can you show us how you create these links? Perhaps by appending the query string to the form action? Example:

<form action="index.php<?php echo isset($_SERVER['QUERY_STRING']) ? '?'.$_SERVER['QUERY_STRING']:''; ?>">

@vizz

hi, you should pay the license and respect their copyright: http://www.menucool.com/ otherwise switch to the free version.

As suggested by the error message: check the error log for Apache. If you have doubts paste or attach a file with the contents here.

Are you appending the query string to the form used to submit the new query? Can you show how you apply the pagination class in your results script?

Then I type "xsp2 –root /usr/share/asp.net2-demos/" but the result isn't the one shown in the page. I should just type xsp2 to get:

Listening on port: 8080 (non-secure)
Listening on address: 0.0.0.0
Root directory: /usr/share/asp.net-demos
Hit Return to stop the server.

By typing xsp2 –root /usr/share/asp.net2-demos/ you should get the error:

Error: Directory "/usr/share/asp.net2-demos/" not found.

Because /usr/share/asp.net2-demos/ does not exists, when installing asp.net-examples you get /usr/share/asp.net-demos/, this is the correct path. Instead, by using only xsp2 (without arguments) the server sets the root to the current directory, for example, here I'm trying from /tmp/:

xsp2
Listening on address: 0.0.0.0
Root directory: /tmp
Listening on port: 8080 (non-secure)
Hit Return to stop the server.

So, try with:

xsp2 –root /usr/share/asp.net-demos/

It should work, requesting: http://127.0.0.1:8080/ from the browser. Then, if you want, you can start applications by creating a config file, as the example in /etc/xsp2/debian.webapp:

xsp2 --appconfigfile /etc/xsp2/debian.webapp

Or by defining the path for the application:

xsp2 --applications http://localhost:8080:/samples:/usr/share/asp.net-demos

For more information run xsp2 -h and man xsp2, bye!

I get the same error as before(application exception) with different Exception stack traces!

Ok, can you show these exceptions?

For example, the first exception you posted is an HTTP 404, this is the reason why I suggested you to check the default value for the index pages of the web server: in some cases it can be default.aspx instead of index.aspx, which does not match with the contents of /usr/share/asp.net-demos/. Don't you have a file like web.config or machine.config to define this value?

Check the default index for XSP2, inside /usr/share/asp.net-demos/ there is an index.aspx and two directories 1.1 and 2.0.

So, as test, you can try to call them directly:

• http://127.0.0.1:8080/index.aspx
• http://127.0.0.1:8080/2.0/index.aspx

Try with preg_match():

function validateScore($score)
{
    $score = trim($score);
    $pattern = '/^\d{1,2}[\s]?-[\s]?\d{1,2}$/';
    return preg_match($pattern, $score) == 1 ? true : false;
}

Valid inputs are:

var_dump(validateScore('2-0'));
var_dump(validateScore('2- 0'));
var_dump(validateScore('2 -0'));
var_dump(validateScore('2 - 0'));

Spaces around the string are removed by trim(). To validate only those without spaces between the dash change the pattern to:

$pattern = '/^\d{1,2}-\d{1,2}$/';

preg_match() returns integers 1 for true, 0 for false, the above function, instead, will return booleans. The flag \d will search for digits, {1,2} limits the range to 0-99.

• http://php.net/preg_match

You could also try with Composer: create a private repository and use a php/batch script to run the install or update process for your application, the only requirement for the clients it to have the composer binary installed.

Read: https://getcomposer.org/doc/05-repositories.md#hosting-your-own

The same can be done with PEAR, but some of the management tools, such as Pirum, are not anymore maintained in favour of Composer. This can deal also with private repositories in Github or Bitbucket.

You can use PHP SDK from Facebook, check here:

• https://developers.facebook.com/docs/graph-api/reference/v2.1/user/feed
• https://developers.facebook.com/docs/reference/php/4.0.0

You can use mysqldump:

mysqldump -uUSER -pPASSWORD DATABASE > backup.sql

Change USER, PASSWORD and DATABASE to match yours, you can add --routines to backup user defined functions and procedures.

More information here:

• http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html

The first code block can work, the second no, because when the IF statement fails it will run the query anyway, generating an error.

Now, as suggested by Gabriel, you have to verify if the checkboxes are set, if you're still using the doku[] array, you can create a white list of expected values:

<?php

    if($_POST['doku'] && is_array($_POST['doku']))
    {
        # BMK81A
        if(in_array('BMK81A', $_POST['doku']))
            $BMK81A = 1;
        else
            $BMK81A = 0;

        # BMK81
        if(in_array('BMK81', $_POST['doku']))
            $BMK81 = 1;
        else
            $BMK81 = 0;

        # DL3 and so on ...



        # update query here

    }

And repeat the IF statment for each element of the doku array. It's important to set a default value for the missing checkboxes, otherwise the update query will run fine only when all checkboxes are checked.

This error is related to the insert query, check the syntax before 'DL2='', , if in doubt post your query here.

Add the brackets to extend the statement, otherwise the IF condition will apply only to $IC2= $_SESSION['IC2']; because it finds the ; character, so:

if ( isset($_POST['BMK81A']) && isset($_POST['BMK81']) && isset($_POST['DL3']) && isset($_POST['DL2']) && isset($_POST['DL1']) && isset($_POST['S1']) && isset($_POST['S2']) && isset($_POST['S3']) && isset($_POST['S4']) && isset($_POST['S5']) && isset($_POST['S6']) && isset($_POST['S7']) && isset($_POST['D1']) && isset($_POST['A1']) && isset($_POST['RE1']) && isset($_POST['LU2']) && isset($_POST['NPT']) && isset($_POST['SRP']) && isset($_POST['KTDP']) && isset($_POST['KDP']) && isset($_POST['USPD']) )
{
        $IC2= $_SESSION['IC2'];


        $BMK81A = $_POST['BMK81A'];
        $BMK81 = $_POST['BMK81'];
        $DL3 = $_POST['DL3'];
        $DL2 = $_POST['DL2'];
        $DL1 = $_POST['DL1'];
        $S1 = $_POST['S1'];
        $S2 = $_POST['S2'];
        $S3 = $_POST['S3'];
        $S4 = $_POST['S4'];
        $S5 = $_POST['S5'];
        $S6 = $_POST['S6'];
        $S7 = $_POST['S7'];
        $D1 = $_POST['D1'];
        $A1 = $_POST['A1'];
        $RE1 = $_POST['RE1'];
        $LU2 = $_POST['LU2'];
        $NPT = $_POST['NPT'];
        $SRP = $_POST['SRP'];
        $KTDP = $_POST['KTDP'];
        $KDP = $_POST['KDP'];
        $USPD = $_POST['USPD'];

        # other code here

}

You have to set the validation rule in the submitform() method:

$this->load->library('form_validation');

$this->form_validation->set_rules('frmDt', 'Date', 'callback__checkdate');

Then you have to add an argument to the _checkdate() method because set_rules() will submit the value of the field specified in his first argument:

function _checkdate($date)
{
    $format = 'Y-m-d H:i:s'; # Must match the desired format
    $d = DateTime::createFromFormat($format, $date);
    return $d && $d->format($format) == $date;
}

Reference:

• http://php.net/manual/en/function.checkdate.php#113205
• https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#callbacks

Can you show the table schema and an example of the query you want to perform? Have you tried the column BETWEEN min AND max statement? Are you saving the timezone differences for each user?

Documentation:

• http://dev.mysql.com/doc/refman/5.6/en/comparison-operators.html#operator_between

Check this link:

• https://developers.google.com/maps/articles/phpsqlsearch_v3#findnearsql

In practice you have to save the current position for each user and calculate the distance through a database query.

Note MySQL supports spatial indexes only with MyISAM and InnoDB engines, the latter since 5.7.5. But you may want to consider PostGIS also.

It happens because the url opening the page does not set the id parameter:

yourpage.php?id=123

To prevent this error you can add a check. array_key_exists will not consider if id is empty or not ?id= vs ?id=21, but only if the key exists:

if( ! array_key_exists('id', $_GET))
{
    die('Error: missing id');
}

Then you have to cast the value: if you're using integers for the student_id then do not allow other characters, for example:

$_GET['id'] = is_numeric($_GET['id']) ? intval($_GET['id']) : 0;

The above is use to prevent returning 1 when submitting empty arrays to intval, for example ?id=[].

You should definitely use prepared statements to prevent sql injections: use the mysqli bind method to cast the values but if you use $_GET['id'] somewhere else, for example for the redirect, then you always need to verify that the value is legit.

For more information about the validation process read this:

• http://php.net/manual/en/function.filter-input-array.php
• http://php.net/manual/en/function.is-numeric.php
• http://php.net/manual/en/function.intval.php

Ok, few questions:

1. createdate is a datetime column?
2. if yes, can you show the date format sent by the form?
3. can you show the table schema? I'm not sure if you want to compare the date_in and date_out columns.

If the where condition is applied, it shouldn't return rows out of the range, an example here: http://sqlfiddle.com/#!2/6f8dbc/5

If the schema matches then you can try to modify the example on sqlfiddle to get your desired results.

You have to initialize the variables: if $submit is not set then $sql is not initialized and the query will fail.

Also for the query you can use the column BETWEEN value AND value condition. So change your code to:

$submit = $_POST['submit'];

# all code under this condition
if($submit)
{
    $sql = "SELECT * FROM inventory WHERE createdate BETWEEN '$date_in' AND '$date_out'";

    $result = mysql_query($sql) or die(mysql_error());

    if(mysql_num_rows($result) > 0)
    {
        while($row = mysql_fetch_array($result))  
        {
            echo "
            <tr>

                <td align='center' width='200'>
                {$row['date_in']}
                </td>

                <td align='center' width='200'>
                {$row['date_out']}
                </td>

                <td align='center' width='200'>
                {$row['model']}
                </td>

            </tr>
            ";  
        }
    }
}

echo "</table>";

For more information check:

• http://dev.mysql.com/doc/refman/5.6/en/comparison-operators.html#operator_between
• http://php.net/manual/en/mysqlinfo.api.choosing.php

You should use prepared statements. Take a look especially to the second link. Bye!

@ashokkmr22

Probalby this does not help because both DateInterval and DatePeriod require PHP 5.3.* as DateTime::diff

• http://php.net/manual/en/class.dateinterval.php
• http://php.net/manual/en/class.dateperiod.php

Bye!

Hi, have you tried http://nodeschool.io/ ?

Make sure which version of PHP is in use in your host, you can use phpinfo(): http://php.net/manual/en/function.phpinfo.php and if you can upgrade.

For an alternative solution check the comments in the linked documentation, there are some examples with DateTime and strtotime().

In addition you can execute the same operation in MySQL, examples:

> select datediff(now(), date_sub(now(), interval 3 month)) days;
+------+
| days |
+------+
|   92 |
+------+
1 row in set (0.00 sec)

> select datediff(now(), '2014-08-15') days;
+------+
| days |
+------+
|   42 |
+------+
1 row in set (0.00 sec)

So it depends from where this information comes from (database, users forms) and what you want to achieve.

It happens because MySQL doesn't seem to really support ISO 8601, but the date is parsed and inserted if the server is not in strict mode, it will generate only a warning that looks like this:

show warnings\G
*************************** 1. row ***************************
  Level: Warning
   Code: 1292
Message: Truncated incorrect datetime value: '2014-09-26T00:47:32+02:00'

Docs:

• http://dev.mysql.com/doc/refman/5.5/en/sql-mode.html#sql-mode-strict
• http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html#function_date-format

You can use DateTime::sub():

<?php

    $dt = new DateTime('2014-08-31 23:06:00');
    $dt->sub(new DateInterval('P30D'));

    echo $dt->format('Y-m-d G:i:s');

Docs:

• http://php.net/manual/en/datetime.sub.php
• http://php.net/manual/en/dateinterval.construct.php
• http://en.wikipedia.org/wiki/ISO_8601#Durations

Hi, did you wrote to the Unirgy team or submitted a bugtruck?

Follow these instructions: http://www.securityfocus.com/archive/1/description#0.1.8

A part that post on the nexcess blog, it seems nobody else treats the issue, maybe they are already working on a patch.

Chech the version of the remote PHP. DateTime::diff requires version 5.3.*+

• http://php.net/manual/en/datetime.diff.php

And Qbasic stands for basic question, not for QBasic correct? :)

Regarding your question check the documentation at this link: http://php.net/manual/en/mysqlinfo.api.choosing.php

I don't know how Workbench handles this task, but when changing the path you have to move the data to the new location and you have to restart the database, otherwise it will continue to use the configuration options in memory.

For a detailed explanation read the documentation:

• http://dev.mysql.com/doc/refman/5.6/en/windows-troubleshooting.html
• http://dev.mysql.com/doc/refman/5.6/en/windows-create-option-file.html

It happens because this is the data directory used by the server. If you want to change it then modify the datadir value in the my.cnf file, and then restart MySQL.

Note apart
I don't know how it works with Windows permissions, but in linux the new data directory must be owned by the same user running the MySQL server (usually mysql) with write, read and execution permissions for the owner, and only read and execution permissions for groups and other users.

Hi, are you using Apache? Have you loaded the mod_wsgi module into Apache?

More information here:

• https://github.com/GrahamDumpleton/mod_wsgi
• https://code.google.com/p/modwsgi/wiki/QuickInstallationGuide

So, for example:

<table id="names">
    <tr>
        <td data-name="oranges">
            oranges
        </td>
        <td data-name="apples">
            apples
        </td>
        <td data-name="coconut">
            coconut
        </td>
        <td data-name="strawberries">
            strawberries
        </td>
    </tr>
</table>

<form>
    <input type="text" name="aaa" value="" />
    <input type="text" name="bbb" value="" />
    <input type="text" name="ccc" value="" />
    <input type="text" name="ddd" value="" />
    <input type="text" name="eee" value="" />
</form>

Then you can do:

$("#names td").click(function(){
    var name = $(this).data('name');

    $('input:text:visible').each(function(){
        if($(this).val().length === 0)
        {
            $(this).val(name);
            return false;
        }
    });
});

JSfiddle: http://jsfiddle.net/hmwv1hx7/

Use insertGetId():

$id = DB::table('item_tbl')
    ->insertGetId(array('item_name' => $data['itemTb']));

docs: http://laravel.com/docs/queries#inserts

Sorry, I'm a bit confused on this php-pfm, are you saying I don't have it, and is it necessary?

Oh no, it is not necessary, this is just an handler for PHP to communicate with the web server. I'm sorry my example created confusion.

Traditional installations (Apache+PHP) use mod_php to bind the PHP engine to the Apache processes.

PHP-FPM (FastCGI Process Manager) is another handler: PHP starts it's own daemon on port 9000 and waits for a redirect from the web server, which in this case works as a proxy. The traditional mod_php works only with Apache, while PHP-FPM is supported by many web servers.

This is my output for checking mysql. Am I ok?

Yes and no. Yes because the process is assigned correctly to the mysql user, no because if the database user as the FILE privilege, then he can still read and write files. To avoid it you can remove this grant from non-administrative users or apply the secure-file-priv=/defined/path directive in my.cnf, to limit the action range.

A useful read about securing MySQL can be found here:

• http://dev.mysql.com/doc/refman/5.6/en/security-against-attack.html

As a precaution I may just change the log on details for all my databases.

Good!

for each database I create a new username with all permissions except 'grant.' Is that the same thing?

No, it's not the same, I'm referring to the owner of the process, which is system related, i.e. it's outside of the database environment.

How do I know if the mysql runs as root

Run ps -ef | grep mysqld the output should return:

mysql     1346  1129  0 09:39 ?        00:00:01 /usr/sbin/mysqld
    --basedir=/usr
    --datadir=/var/lib/mysql
    --plugin-dir=/usr/lib/mysql/plugin
    --user=mysql
    --pid-file=/var/run/mysqld/mysqld.pid
    --socket=/var/run/mysqld/mysqld.sock
    --port=3306

As you see here the user is mysql. If you see root, instead:

• make sure mysql user exists and which groups are associated, so run: id -uG mysql it should return only mysql.

• open /etc/mysql/my.cnf and find the [mysqld] section, there you can change the user from user=root to user=mysql

• restart the database: sudo service mysql restart, a reload won't change the owner of the process, a restart yes, but if you have problems then stop and start the process again. An issue can happen here: if the logs in /var/log/mysql/ are owned by root then the server will fail to start, if this happens you have to change the ownership of the directory to the mysql user:

  chown -R mysql /var/log/mysql/
  

then you can start the server daemon again. If in doubt check the syslog file:

    tail -n30 /var/log/syslog

If the installation was assigned to the root account, then there could be some other permission issue to solve, for more information read here:

You can use each() to loop them, and then return false when you get the first empty value, as example:

<form>
    <input type="password" name="passwd" value="" />
    <input type="text" name="aaa" value="test 1" />
    <input type="text" name="bbb" value="test 2" />
    <input type="text" name="ccc" value="" />
    <input type="text" name="ddd" value="test 4" />
    <input type="text" name="eee" value="" />
</form>

JS:

$('input:text').each(function(){
    if($(this).val().length === 0)
    {
        console.log($(this).attr('name'));
        return false;
    }
});

Documentation: http://api.jquery.com/each/

root 30952 30571 0 14:22 pts/0 00:00:00 grep php-fpm

No, that's the execution of grep, when in use you will see the master process and the workers, as here:

root      1437     1  0 set16 ?        00:00:01 php-fpm: master process (...)                    
www-data  1439  1437  0 set16 ?        00:00:02 php-fpm: pool www                                                       
www-data  1440  1437  0 set16 ?        00:00:01 php-fpm: pool www                                                       
user      8989  5877  0 00:49 pts/1    00:00:00 grep --color=auto php-fpm

The two domains that were sending out spam coincidentally have the same wordpress themes installed where a major vulnerability was discovered... using the revolution slider.

If you have this doubt then change the database password, because they used the database SELECT '<?php /*script*/ ?>' INTO OUTFILE 'config.php' to write to the filesystem, it happens if mysqld (the server process) runs as root, more information here:

• http://dev.mysql.com/doc/refman/5.6/en/select-into.html
• http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

Are you sure the spammer is using your PHP scripts to send spam and not accessing directly to your SMTP server?

Usually the config.php file in CI does not execute code, it's a container for variables, can you verify if the file is genuine?

Also CI includes .htaccess files into the application and system directories with the Deny from all directive: it means the config files are not directly reachable by an HTTP request, the server will return status 403, but it can be opened through another script, for example a fake image file.

But why to overwrite the config.php of CI?

I think it's another file, for example, if using PHP-FPM and this is not properly set up, an attacker can upload an image script with embedded code an make the server execute it by appending a fake script name, for example:

/images/smile.jpg

Then from remote the attacker calls:

http://domain.tld/images/smile.jpg/config.php

And the code embedded is executed.

Now, can you check the path of the script from the mail log? Can you scan the system in search of files? If you can open a shell with the server, try this command:

find / -name 'config.php' 2>/dev/null

It should return all the config.php files under the root of the server.

So I was thinking why can't I just turn off sendmail and qmail, which appears to be what my server uses.

Yes, but if there's a backdoor, then they can reactivate it or connect …

Try by adding GROUP BY ip_username, ip_ip to the current query, it will return all users' ip, or if searching a specific user WHERE ip_username = 'Todor' GROUP BY ip_ip.

It can be done through Java Web Start: http://en.wikipedia.org/wiki/Java_Web_Start

You don't need PHP for this. To interact directly with software, instead, in Windows you can use the COM objects: http://php.net/manual/en/book.com.php

In such cases you can also set the primary key in the (User) model:

<?php

use Illuminate\Auth\UserInterface;
use Illuminate\Auth\Reminders\RemindableInterface;

class User extends Eloquent implements UserInterface, RemindableInterface {

    protected $table = 'users';
    protected $primaryKey = 'admin_id';

API:

• http://laravel.com/api/class-Illuminate.Database.Eloquent.Model.html#$primaryKey
• https://github.com/laravel/framework/blob/4.2/src/Illuminate/Database/Eloquent/Model.php#L42

Bye!

Hi, assuming the method is $_POST, you get the equivalent of:

$_POST['subject'][] = 'subject 1';
$_POST['subject'][] = 'subject 2';
$_POST['subject'][] = 'subject 3';
# and so on ...

so you can loop the values:

if(is_array($_POST['subject']))
{
    foreach($_POST['subject'] as $subject)
    {
        # code
    }
}

When debugging and in doubt, print the index:

echo '<pre>';
print_r($_POST['subject']);
echo '</pre'>;

So you can realize better how to handle the input. For more information check the documentation:

• http://php.net/manual/en/faq.html.php#faq.html.arrays

The Auth class is bounded to the User model, so when the authentication is satisfied you can access his information, check:

• http://laravel.com/docs/security#authenticating-users

in particular read the Accessing The Logged In User paragraph.

In your case you can do:

public function authenticate()
{
    $fname = User::tryAuthenticate(Input::all());
    return Redirect::to('profile')->with('name', $fname);
}

And make the model method return the name, but it is not necessary, as you can always use Auth::user(), so:

public function authenticate()
{
    # true
    if(User::tryAuthenticate(Input::all())) return Redirect::to('profile');

    # false
    return Redirect::to('login')->with('error', 'Error: wrong credentials.');
}

And make User::tryAuthenticate() just return true or false.

Hi, you can do:

Redirect::to('profile')->with('fname', Auth::user()->firstname);

Or:

Session::put('fname', Auth::user()->firstname);
Redirect::to('profile');

Then you have to get the value from session:

$data['items'] = DB::table('item_tbl')->get();
$data['fname'] = Session::get('fname');
return View::make('profile')->with('items', $data);

But:

1. when using with() the value is flashed to session, and won't be available in the next request

2. you can get the value directly in the controller:

   $data['fname'] = Auth::user()->firstname;
   

And also it always return false when i use Auth::check()

Can you show the login process (form and receiving route)? To restrict the access to the profile controller use the auth filter:

class ProfileController extends BaseController {

    public function __construct()
    {
        $this->beforeFilter('auth');
    }

To restrict the single method you can apply the same or at route level:

Route::get('profile', array(
    'before' => 'auth',
    'uses'   => 'ProfileController@showProfile'
    ));

local host index page where the index page is viewable

So you have something like C:\WAMP\www, you copied the website to this directory and now it is in:

C:\WAMP\www\website

Correct? Then try:

http://localhost/website/index.php/admin

Or simply:

http://localhost/website/admin

Also, CodeIgniter uses an .htaccess file to rewrite the urls and avoid the index.php, make sure you have the .htaccess file in the document root (i.e. C:\WAMP\www\website) and the rewrite module loaded in Apache.

Try Linfo:

• http://linfo.sourceforge.net/
• https://github.com/jrgp/linfo

You can customize the output.

It seems the default value for the new versions of debian & derivates:

• http://sources.debian.net/src/apache2/2.4.10-1/debian/apache2.NEWS/#L36

Currently I don't have a new installation to verify, but you should be able to change the default value back to /var/www through the config files in /etc/apache2.

You could also move everything to your profile /home/lewashby/www/, it's just a matter of preferences.