Posts by cereal

I've also been getting a lot of sex spam. I wonder if someone got my email address off a database somewhere ^_^

Me too and they try to add my account to Hangouts, so I reply to add my "other" account instead, which is the email address of a previous spammer. When they insist, I reply with Siri's quotes, random tweets, youtube videos. Last time, the correspondence continued for a week before they gave up.

Except it is the ending of a PHP function.

I was asked to fix few bugs, looking at the code, this is what I saw at the end, 600 lines later:

            }
                        }

        }
                }
            }
    }
        }

                                        }

Looks like vertical brainf4ck code. You can imagine how it looks the rest.

You're welcome. I'm not really into OpenCart, but reading the documentation, it seems you need to develop a Product Feed with a model, so you can define your database schema and associate the results of the affiliate programs. See if this helps:

• http://docs.opencart.com/developer/product-feed/

Or wait for other suggestions. Bye!

I'm not sure it still supports ATOM, this is why I suggested to load an atom feed from some website and see if it works.

I suppose Apple, Google & FB are trying to bind publishers to their platforms by offering a rich content experience. See for example the AMP project by Google and Instant Articles by FB:

• https://www.ampproject.org/
• https://instantarticles.fb.com/

Instant Articles, in particular accepts RSS feeds but a variant, specific to their platform. So you must create an ad-hoc feed for them.

It seems the Apple News app does not support RSS format anymore since last summer, try to load an ATOM feed or follow their format: https://developer.apple.com/news-publisher/

Hi,

the recommended way to hash passwords in PHP is through password_hash(), see the examples in the documentation page:

• http://php.net/password-hash

The example #3 seems similar to your request. If you will use PHP 7, then you can enable strict mode and you can write something like this:

<?php declare(strict_types=1);

function GetSaltedHash(string $pw, string $salt) : string
{
    $tmpPw   = mb_convert_encoding($pw, 'UTF-8');
    $tmpSalt = mb_convert_encoding($salt, 'UTF-8');

    $options = ['cost' => 11
              , 'salt' => $tmpSalt];

    $hBytes = password_hash($tmpPw, PASSWORD_BCRYPT, $options);

    return base64_encode($hBytes);
}

function CreateNewSalt(int $size) : string
{
    # default size
    if($size < 22)
        $size = 22;

    return base64_encode(random_bytes($size));
}

$pass = 'hello';
$size = 30;
$salt = CreateNewSalt($size);
$hash = GetSaltedHash($pass, base64_decode($salt));
$decd = base64_decode($hash);

print 'base64 encoded: ' . $hash . PHP_EOL;
print 'base64 decoded: ' . $decd . PHP_EOL;
print PHP_EOL;

if(TRUE === password_verify($pass, $decd))
    print 'The password is valid';

else
    print 'Validation failed';

print PHP_EOL;

See also:

• http://php.net/manual/en/function.random-bytes.php
• http://php.net/manual/en/function.password-verify.php
• https://github.com/ircmaxell/password_compat

Hello,

I just saw your question, so according to FB best practises:

Use images that are at least 1200 x 630 pixels for the best display on high resolution devices. At the minimum, you should use images that are 600 x 315 pixels to display link page posts with larger images. Images can be up to 8MB in size.

If your image is smaller than 600 x 315 px, it will still display in the link page post, but the size will be much smaller.

We've also redesigned link page posts so that the aspect ratio for images is the same across desktop and mobile News Feed. Try to keep your images as close to 1.91:1 aspect ratio as possible to display the full image in News Feed without any cropping.

And last:

The minimum image size is 200 x 200 pixels. If you try to use an image smaller than this you will see an error in the Sharing Debugger.

Source: https://developers.facebook.com/docs/sharing/best-practices#images

The sponsor badge appears also if you have received positive reputation points. From the green banner here in the page:

Questions asked by members who have earned a lot of community kudos are featured in order to give back and encourage quality replies.

Now:

Is there something which will shut down the current PHP script OR website entirely ?

Do you mean a maintenance mode?

So, something like this extension:

https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=29709&sort=date_added

correct?

Also, try The Expanse, not zombiesque but worth to see:

• https://www.wired.com/2017/01/geeks-guide-the-expanse-season-2/

they require that we "noindex" the majority of our content.

what?! o_o

I've googled a bit for you, but it seems you're out of luck. You should've forked your first pen.

I can confirm is not supported, people use Gists on GitHub to versioning the code, but it requires to save and export to GitHub each time, manually. More info here:

• https://blog.codepen.io/2016/09/19/using-gists-see-versions-pens-dif-pen-changes/

It seems spam. The Mozilla support forum is this:

• https://support.mozilla.org/en-US/kb/get-community-support

not the one linked by Remote_1.

What rproffitt said. The support form for the plugin is:

• https://translate.wordpress.org/projects/wp-plugins/tablepress

An answer by the plugin's author to your same request:

• https://wordpress.org/support/topic/is-it-possible-to-create-an-input-form-that-updates-the-table/

Thank you Dani, it works really fine.

The reason is this:

554 delivery error: dd This user doesn't have a yahoo.com account (deacleodor@yahoo.com)

In other words the email address does not exists.

@Dani

... And regarding Nginx, if you were able to get Nginx to work with PUT and PATCH, please let me know how! Whenever I try, Nginx short circuits and returns back a status of 501 not implemented and with a message body of "This method may not be used."

From my understanding, you can compile Nginx with a module to override this, and enable PUT, PATCH, and DELETE but when doing so, Nginx again short circuits PHP and actually PUTS/DELETEs files in the file system!

I have tried that and, yes, it works like in your description but only if webdav is enabled for that location. Otherwise it works like in pty's example.

For a basic test try:

<?php

$stream = [];
$method = $_SERVER['REQUEST_METHOD'];

parse_str(file_get_contents('php://input'), $stream);

print "Method $method" . PHP_EOL;
print print_r($stream, TRUE) . PHP_EOL;

And then send requests:

http --form PUT http://site/script.php msg="hello" --verbose

And you should see something like:

PUT /a.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 9
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: HTTPie/0.9.2

msg=hello

HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Server: nginx/1.6.2
Transfer-Encoding: chunked

Method PUT
Array
(
    [msg] => hello
)

Here are the reasons:

• https://dev.mysql.com/worklog/task/?id=6073

Mainly because the new default engine in 5.7 is InnoDB.

Hi,

just a side note: back in Windows XP days by pressing CTRL ALT DEL for two times, in the login screen, made the admin account visible. I do not know if this is still valid as I have not used those systems lately. Hope it helps, bye!

Hi,

as the error states the format of the invoice is not recognized by their system, you are showing only the namespaces in the header of the XML document. The document must conform to these namespaces. So if the namespace xlmns:p defines nodes like <p:FatturaElettronica> the following:

<FatturaElettronicaHeader> 
      <DatiTrasmissione>

Will probably be:

<p:FatturaElettronicaHeader> 
      <p:DatiTrasmissione>

Ans so on. Verify if there are nodes that are breaking these rules. If you have difficulties, please share a full example of this document and the related documentation.

Hi!

I think jkon refers to this https://www.w3.org/TR/wsdl20/
i.e. a document that describes the features of the API endpoints. This is widely used in SOAP. See also:

• http://www.ibm.com/developerworks/webservices/library/ws-restwsdl/

Davy, I think you are able to solve this error, look it carefully.

like how?

Download this file:

• https://github.com/bcit-ci/CodeIgniter/archive/3.1.3.zip

or download the version you are using. Extract, browse up to application/views/ and copy the errors directory, with all the contents, into your application/site/views/ directory.

Hi Jailani,

in your code you are using:

$value = $_GET['change'];

which will not work if the form set the method to POST:

<form method="post">

if you perform a POST request then you have to use $_POST in the PHP side to access the values of the input fields. You could use $_GET, but only if appending values to the action link of the form tag, for example:

<form method="post" action="script.php?id=123">

Also, you are trying to access the id, like this:

$id = $_REQUEST['id'];

I suppose you want to get it from this line:

echo"<td><font color='black'>" .$test['id']."</font></td>";

It will not work, unless you do not add an input field like this:

<input type="hidden" name="id" value="<?php echo $test['id']; ?>">

This is more correct, but you are also looping the array from the query, so you are going to create a group of rows, in the HTML, each with:

echo"<td><input type='text' name='change'/></td>";

In this case, since you are not submitting $_POST['change'] as an array and since this is a text type, you will apply only the last one in the list:

<tr>
    <td><input type='text' name='change'/>
<tr>
    <td><input type='text' name='change'/>
<tr>
    <td><input type='text' name='change'/> <-- only this will be applied

So the input name should look like more name='change[]':

<tr>
    <td><input type='text' name='change[]'>
<tr>
    <td><input type='text' name='change[]'>

Even by applying this your update query will still not work, because you have to loop the $_POST['change'] and the other fields values.

This post may help you:

• https://www.daniweb.com/programming/web-development/threads/474309/registration-using-php#post2072284

it applies to <select> …

Then add all the tree from the official download.

The current latest stable PHP version is 7.* from which ext/mysqlwas removed.

If you are using PHP 5.6 then the query should still work, as ext/mysql is only deprecated. Can you share the error code you got from the above?

C:\Program Files (x86)\EasyPHP-DevServer-14.1VC9\data\localweb\masterlinkci2\application\site\views\errors\html\error_php.php

Can you reach the error_php.php file by following the path described in the warning?

Check arp-scan -ln it outputs something like this:

> arp-scan -ln
Interface: wls1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.0.1     00:c0:9f:09:b8:db       QUANTA COMPUTER, INC.
192.168.0.5     00:02:a5:90:c3:e6       Compaq Computer Corporation
192.168.0.87    00:0b:db:b2:fa:60       Dell ESG PCBA Test
192.168.0.90    00:02:b3:06:d7:9b       Intel Corporation
192.168.0.153   00:10:db:26:4d:52       Juniper Networks, Inc.
192.168.0.191   00:01:e6:57:8b:68       Hewlett-Packard Company
192.168.0.196   00:30:c1:5e:58:7d       HEWLETT-PACKARD

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.628 seconds (157.25 hosts/sec). 7 responded

And you could simply parse the output. But I'm not sure if there is a version for Windows platforms. Some info here:

• https://github.com/royhills/arp-scan

Can you show the method controller?

Well, I redirect application_folder value to application/site since I divided application folders into two folders admin and site. admin for backend and site for frontend.
[...]
and still receiving that same error:

To make it work, both applications must have the requested folders and files. In practice make a copy of what is inside application/ into application/admin/ and application/site/. I'm assuming your admin panel is inside the application/admin/ folder. So you end up with something like this:

.
├── .htaccess                        <-- 1st .htaccess
├── admin
│   ├── .htaccess                    <-- 2nd .htaccess
│   └── index.php
├── application
│   ├── admin
│   │   ├── cache
│   │   ├── config
│   │   ├── controllers
│   │   ├── core
│   │   ├── helpers
│   │   ├── hooks
│   │   ├── index.html
│   │   ├── language
│   │   ├── libraries
│   │   ├── logs
│   │   ├── models
│   │   ├── third_party
│   │   └── views
│   └── site
│       ├── cache
│       ├── config
│       ├── controllers
│       ├── core
│       ├── helpers
│       ├── hooks
│       ├── index.html
│       ├── language
│       ├── libraries
│       ├── logs
│       ├── models
│       ├── third_party
│       └── views
├── index.php
└── system

In the above structure there is an index.php file in the document root and another in the admin folder. The former will point to the site application, the latter to the admin application, by editing the $application_folder value for the former to:

$application_folder = 'application/site';

And the values of …

i am just curious how to access social media accounts like facebook, watspp etc. with the users' permission in order to help them prevent unethical hackers from breaking into their accounts.

Even if ethical, that would probably be a misuse of FaceBook terms of services. There are projects, like BugCrowd, which allows you to hack into a service, limiting the activity to specific targets requested by the owner and following specific rules: non disclosure & co. Facebook partecipates to that, and usually pays bounties through their system. So, if you are really interested check it out: https://bugcrowd.com/

Ok, so you changed the $application_folder value to application/site, is this correct?

Are you creating an application folder named site inside the application folder? I mean, do you have something like the following:

application/
└── site
    ├── cache
    ├── config
    ├── controllers
    ├── core
    ├── helpers
    ├── hooks
    ├── index.html
    ├── language
    ├── libraries
    ├── logs
    ├── models
    ├── third_party
    └── views
        └── errors
            ├── cli
            └── html

Otherwise restore the $application_folder value to his default application and it should work fine.

See: https://www.codeigniter.com/user_guide/general/managing_apps.html

Hi,

are you loading the database library? You can do that in the application/config/autoload.php file, to make it available in all controllers and models:

$autoload['libraries'] = array('database');

Instead, if you do not want to load it for every resource, you can load it in the constructor of the model or in the specific method. For example:

<?php

class Gallery_model extends CI_Model
{

    public function __construct()
    {
        parent::__construct();
        $this->load->database();
    }

    public function get_picture($id) { /* ... */ }

}

It could go also in the controller (method or constructor), the library then would be used by the loaded models as well.

See:

• https://codeigniter.com/user_guide/general/models.html?highlight=models#connecting-to-your-database
• https://codeigniter.com/user_guide/libraries/loader.html?#CI_Loader::database
• https://codeigniter.com/user_guide/database/examples.html#initializing-the-database-class

Hi,

if this is for WordPress then follow these directives:

• https://codex.wordpress.org/Using_Permalinks

otherwise search for apache and url rewriting.

Ok,

it does not work because you are not accessing to the returned row when you call $stmt->otdq_ordernum.

Use:

$row = $stmt->fetch();

And then:

$row->otdq_ordernum;

Or use a MySQL variable.

Also rowCount() in PDO, assuming you are using it, does not return the rows found in a SELECT statement, but only the rows affected by INSERT, UPDATE, DELETE & similar statements.

See:

• http://php.net/manual/en/pdostatement.rowcount.php

In this very specific case, because $ID is expected to be an integer, you could use exec() which returns the number of affected rows by the statement or something that evaluates to boolean FALSE (if something goes wrong) but you have to properly sanitize the variable.

$ID = filter_input(INPUT_GET, 'ID', FILTER_VALIDATE_INT);

if(FALSE !== $ID)
{
    $update = $db->exec("UPDATE table SET count = count + 1 WHERE id=".$ID);

    if(FALSE === $update)
    {
         // log the error, kill the script, etc.
    }

    else
    {
        // successful update
    }
}

else
{
    // $ID is not valid
}

In case of strings, instead, the filter function is not enough, because sending something like 0 OR 1=1 would be valid and expose your query to an SQL injection attack.

I prefer to have few extra lines of code and go with prepared statements.

Besides, in PDO you can send the values as an array, in the execute() method:

$stmt->execute([':ID' => $ID]);

Hi,

it happens because getDB() is using PDO and in the script you are using MySQLi. Fix it and it should work.

I was supposing the $_POST['Net'] arrays to hold float values, not file names. Anyway you could write:

$files    = [];
$products = [];

while($rowProduct = mysql_fetch_array($productSQL))
{
    $products[] = $rowProduct['POProductNet'];
}

if(TRUE === isset($_POST['Net']) && TRUE === is_array($_POST['Net']))
{
    $files = array_map('basename', $_POST['Net']);
    $diff  = array_diff_assoc($products, $files);

    if(count($diff) > 0)
    {
        // write data to db
    }
}

Here I'm just using the array functions, instead of the loops, it's just a choice. You can go with loops.

But if $_POST['Net'] is supposed to always be an array, then I would check it in the sanitizing step, not after the query to the database. So it would look like more:

$net = filter_input(INPUT_POST, 'Net', FILTER_SANITIZE_STRING, FILTER_REQUIRE_ARRAY);

if(FALSE !== $net)
{
    $files    = array_map('basename', $net);
    $products = [];

    // select query the database
    // populate the $products array
    // compare with $files
}

Hi,

you could use array_diff_assoc():

<?php

$sql  = [25.00, 25.00, 50.00, 82.00, 120.00, 205.00];
$post = [25.00, 50.00, 50.00, 80.00, 120.00, 205.00];

print_r(array_diff_assoc($post, $sql));

Returns:

Array
(
    [1] => 50
    [3] => 80
)

So you can manage the array through the index key of the array. But what is the goal of this compare?

Check the PHP error log, it can be a permission issue.

I also wonder if I could upload pdf through Roxy Filemanager?

It seems possible. This is defined by the ALLOWED_UPLOADS and FORBIDDEN_UPLOADS of the conf.json file (see previous link). The former is the whitelist, define for example pdf jpg png to allow these files to be uploaded. The latter is a blacklist, which his own defaults, make sure pdf is not listed there and it should work fine.

Then use insert link, browse to file and select Add file to upload a file from your computer.

Once is uploaded, if you can select the file, like in their demo, then there should not be the need to type, as you can add a description text in the modal view.

I have to type it according to the folder.

That's the point, it's not upload but uploader. In any case you can insert an HTML link, but use an absolute path:

<a href="/assets/uploaded/artikel/file.pdf">[PDF] Description of file</a>

That could be something else, like the rewriting rules of the server. Did you verified if the link appears different in the HTML source code?

And:

Are you able to browse to the PDF through the plugin? Can you upload? Like in their demo?

Oh, ok, there is a configuration option FILES_ROOT in the conf.json file of the Roxyfileman, used to define the path in which upload the files. According to the documentation the path MUST be absolute to the document root of the website:

• http://www.roxyfileman.com/install#config

Looking at the HTML of the first link you posted, it does not seem to be absolute:

<div style="text-align:justify"><p><a title="Presentasi Tugas LPJK ke 5" href="../../../../assets/upload/artikel/2007TugasLPJKke5.pdf" target="_blank" rel="noopener noreferrer">Presentasi: Tugas LPJK ke 5</a></p></div>

Here the value assigned to FILES_ROOT should probably be /assets/uploaded/ or /assets/uploaded/artikel/ if you want to restrict it to that path.

Are you able to browse to the PDF through the plugin? Can you upload? Like in their demo?

Could you show the code used to build these links?

Hi,

the first link redirects with 302 to the home page, when instead should show a 404 error page.

Look here:

• http://www.gsa-constructionspecialist.com/assets/upload/artikel/2007TugasLPJKke5.pdf

And go to the first folder:

• http://www.gsa-constructionspecialist.com/assets/

You server is listing the index, from there you can see that the upload directory does not exists. It exists uploaded, from there you can get the file. Fix the link and it should work fine.

The second link you posted points to cpanel because it referes to a cpanel session, it cannot download a file without having a valid session. That's for security, so it is correct.

@AssertNull

Hi,

just to add something: the first step to avoid spam filters is to setup SPF and DKIM in the TXT records of the domain. That way Google, Hotmail & co. can verify if the sender address is allowed and if the origin is correct. For example, take Daniweb setup:

# query Google DNS
> dig daniwebmail.com ANY @8.8.8.8

daniwebmail.com.    299 IN  MX  5 daniwebmail-com.mail.protection.outlook.com.
daniwebmail.com.    299 IN  A   169.55.25.110
daniwebmail.com.    299 IN  TXT "MS=ms74324738"
daniwebmail.com.    299 IN  TXT "v=spf1  include:spf.protection.outlook.com ip4:169.55.25.96/28 ip4:169.55.29.192/27 ip4:74.53.219.128/25 a mx include:_spf.google.com ~all"

The TXT record is saying from which IP addresses the emails should be considered valid, this includes a range of IPs, the mail server defined in the MX record and the IP from the A record.

For example last newsletter came from community@daniwebmail.com and from IP 169.55.25.110. With spfquery you can test the validity of the origin:

spfquery -guess "v=spf1 mx a -all" -ip 169.55.25.110 -sender community@daniwebmail.com

The response looks like this:

passpass

spfquery: domain of daniwebmail.com designates 169.55.25.110 as permitted sender
Received-SPF: pass (spfquery: domain of daniwebmail.com designates 169.55.25.110 as permitted sender) client-ip=169.55.25.110; envelope-from=community@daniwebmail.com;

Which is basically what are doing mail services when receiving an email message. If the SPF is genuine then there are good chances to avoid the SPAM folder. But at that point it's necessary to act like you wrote, by rate limiting messages and by choosing correct phrasing.

More info:

• http://www.openspf.org/SPF_Record_Syntax
• http://www.openspf.org/Best_Practices
• http://www.tldp.org/HOWTO/Spam-Filtering-for-MX/exim-spf.html
• http://debian-administration.org/article/721/Validating_SPF_and_DKIM_at_SMTP-time_with_exim

Bye!

how does this page look to you? https://www.dazah.com/audiences

Looks fine here with Chromium 55.* and no login issues. Besides... Happy New Year!

Hi,
the PHPMailer hack would probably fail if submitting filtered data to the library, i.e.:

• sanitizing through filter_input()
• and by using SMTP, because it will not use sendmail, nor mail()

Note, a filter_* function is also used in the PHPMailer library, but as default option of their validateAddress() switch and does not run, if other extensions are loaded.

In reference to your first request search for SSLsplit and mitmproxy, in practice the attacker takes the role of the gateway and intercepts & modifies the requests, but it requires to be in the same network.

Hi,

it happens because their server detects you are using a bot, by setting a User-Agent their server replies with a Location header that suggests where to redirect the request, this is a time-limited login link that redirects back to the requested page. Example with HTTPie:

http -vv GET http://www.aaii.com/sentimentsurvey/sent_results User-Agent:'Mozilla/5.0 (X11; Linux i686) AppleWebKit [...]'

You send:

GET /sentimentsurvey/sent_results HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: www.aaii.com
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit [...]

And get back in response:

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, GMT
Location: https://user.aaii.com/sso/login.aspx?vi=8&vt=[ALPHANUM_STRING]&DPLF=Y
Pragma: no-cache
Set-Cookie: CFID=; HttpOnly;expires=Mon, ;path=/
Set-Cookie: CFTOKEN=UUID-STRING; HttpOnly;expires=Mon, ;path=/
Set-Cookie: JSESSIONID=ALPHANUM-STRING;path=/; HttpOnly
Transfer-Encoding: chunked

Now, the browser at this points follows the Location header, so you get the page. With HTTPie is done by repeating the request and by adding --follow and you finally get:

HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, GMT
Set-Cookie: VISIT=1; HttpOnly;expires=;path=/
Set-Cookie: JOINAD=; HttpOnly;path=/
Set-Cookie: COUNTER=0; HttpOnly;path=/
Set-Cookie: POPCOOKIE5=0;expires=;path=/
Set-Cookie: POPCOOKIE90=0;expires=Sun, ;path=/
Set-Cookie: POPCOOKIE5=1; HttpOnly;path=/
Set-Cookie: POPCOOKIE90=1; HttpOnly;path=/
Set-Cookie: NOTBOT=0;expires= GMT;path=/
Set-Cookie: EXPIREHOLD=
Transfer-Encoding: chunked

The NOTBOT cookie seems to be the key, but it will not work in first instance if you don't send also the other cookies.

You can try to use curl CURLOPT_FOLLOWLOCATION or a stream context within file_get_contents but I suspect that in both cases you would violate their terms of services. See if they have an API or an XML feed that you can query regularly.