Check arp-scan -ln it outputs something like this:

> arp-scan -ln
Interface: wls1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.0.1     00:c0:9f:09:b8:db       QUANTA COMPUTER, INC.
192.168.0.5     00:02:a5:90:c3:e6       Compaq Computer Corporation
192.168.0.87    00:0b:db:b2:fa:60       Dell ESG PCBA Test
192.168.0.90    00:02:b3:06:d7:9b       Intel Corporation
192.168.0.153   00:10:db:26:4d:52       Juniper Networks, Inc.
192.168.0.191   00:01:e6:57:8b:68       Hewlett-Packard Company
192.168.0.196   00:30:c1:5e:58:7d       HEWLETT-PACKARD

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.628 seconds (157.25 hosts/sec). 7 responded

And you could simply parse the output. But I'm not sure if there is a version for Windows platforms. Some info here:

Read More

Re:

i am just curious how to access social media accounts like facebook, watspp etc. with the users' permission in order to help them prevent unethical hackers from breaking into their accounts.

Even if ethical, that would probably be a misuse of FaceBook terms of services. There are projects, like BugCrowd, which allows you to hack into a service, limiting the activity to specific targets requested by the owner and following specific rules: non disclosure & co. Facebook partecipates to that, and usually pays bounties through their system. So, if you are really interested check it out: https://bugcrowd.com/

Read More

Ok,

it does not work because you are not accessing to the returned row when you call $stmt->otdq_ordernum.

Use:

$row = $stmt->fetch();

And then:

$row->otdq_ordernum;

Or use a MySQL variable.

Also rowCount() in PDO, assuming you are using it, does not return the rows found in a SELECT statement, but only the rows affected by INSERT, UPDATE, DELETE & similar statements.

See:

Read More

I was supposing the $_POST['Net'] arrays to hold float values, not file names. Anyway you could write:

$files    = [];
$products = [];

while($rowProduct = mysql_fetch_array($productSQL))
{
    $products[] = $rowProduct['POProductNet'];
}

if(TRUE === isset($_POST['Net']) && TRUE === is_array($_POST['Net']))
{
    $files = array_map('basename', $_POST['Net']);
    $diff  = array_diff_assoc($products, $files);

    if(count($diff) > 0)
    {
        // write data to db
    }
}

Here I'm just using the array functions, instead of the loops, it's just a choice. You can go with loops.

But if $_POST['Net'] is supposed to always be an array, then I would check it in the sanitizing step, not after the query to the database. So it would look like more:

$net = filter_input(INPUT_POST, 'Net', FILTER_SANITIZE_STRING, FILTER_REQUIRE_ARRAY);

if(FALSE !== $net)
{
    $files    = array_map('basename', $net);
    $products = [];

    // select query the database
    // populate the $products array
    // compare with $files
}

Read More

@AssertNull

Hi,

just to add something: the first step to avoid spam filters is to setup SPF and DKIM in the TXT records of the domain. That way Google, Hotmail & co. can verify if the sender address is allowed and if the origin is correct. For example, take Daniweb setup:

# query Google DNS
> dig daniwebmail.com ANY @8.8.8.8

daniwebmail.com.    299 IN  MX  5 daniwebmail-com.mail.protection.outlook.com.
daniwebmail.com.    299 IN  A   169.55.25.110
daniwebmail.com.    299 IN  TXT "MS=ms74324738"
daniwebmail.com.    299 IN  TXT "v=spf1  include:spf.protection.outlook.com ip4:169.55.25.96/28 ip4:169.55.29.192/27 ip4:74.53.219.128/25 a mx include:_spf.google.com ~all"

The TXT record is saying from which IP addresses the emails should be considered valid, this includes a range of IPs, the mail server defined in the MX record and the IP from the A record.

For example last newsletter came from community@daniwebmail.com and from IP 169.55.25.110. With spfquery you can test the validity of the origin:

spfquery -guess "v=spf1 mx a -all" -ip 169.55.25.110 -sender community@daniwebmail.com

The response looks like this:

passpass

spfquery: domain of daniwebmail.com designates 169.55.25.110 as permitted sender
Received-SPF: pass (spfquery: domain of daniwebmail.com designates 169.55.25.110 as permitted sender) client-ip=169.55.25.110; envelope-from=community@daniwebmail.com;

Which is basically what are doing mail services when receiving an email message. If the SPF is genuine then there are good chances to avoid the SPAM folder. But at that point it's necessary to act like you wrote, by rate limiting messages and by choosing correct phrasing.

More info:

Bye!

Read More

Comments
Good info

You could use the RecursiveDirectoryIterator() something like in this comment:

More precisely like this:

<?php

$path = dirname(__DIR__);

$dir_iterator = new RecursiveDirectoryIterator($path
                     , FilesystemIterator::SKIP_DOTS);

$iterator     = new RecursiveIteratorIterator($dir_iterator
                    , RecursiveIteratorIterator::LEAVES_ONLY
                    , RecursiveIteratorIterator::CATCH_GET_CHILD);

foreach($iterator as $file)
    if(TRUE === $file->isReadable())
        echo $file . PHP_EOL;

Read More

Hi,

from the documentation the strtotime() function you can read:

Parse about any English textual datetime description into a Unix timestamp

And it expects:

int strtotime ( string $time [, int $now = time() ] )

The $stockdate is a DateTime object, not a string. So try by submitting the string:

date('l F d, Y', strtotime($stockdate->date));

Or follow the DateTime library:

print $stockdate->format('l F d, Y');

Docs:

Read More

In addition: if the hash is generated by a salted md5 or sha1, the attacker can generate a string that outputs the same hash, it does not need to find the exact password, it just need to find a collision. See:

That would not work on Google, but it can work on other web services that are storing passwords as md5 or sha1 hashes. In some cases, you could see that the collision string does not work, for the only reason that the Z webiste is storing passwords in plain text :D

If I can suggest, change the passwords everywhere and activate the 2FA:

Also, it's a good practice to use plus addressing when signing in new services, as example name+zwebsite@gmail.com so, if you get spammy messages, you have a chance to find out the source. Plus addressing also works in Hotmail.

By the way, I use this service to get data breaches notices:

It works well.

Read More

Comments
Exploits. Exploits everywhere (insert meme here)

Spaces in URLs can be represented by %20 or by +, it depends on the browser and by the enctype attribute of the form tag.

Your script can receive requests like these:

term=abc++++
term=abc%20%20%20%20

Which in your code equals to:

string(7) "abc    "

So, instead of $searchTerm = $_GET['term']; do:

$searchTerm = trim(filter_input(INPUT_GET, 'term', FILTER_SANITIZE_STRING));

And the script will process the intended input:

string(3) "abc"

Note, in this case you don't need to use urldecode() as superglobals are already decoded. Also, you should query the database through prepared statements.

Read More

Ok, the blank list of results happens because JQuery expects to receive label and/or value as index keys of the result set.

Multiple types supported:
Array: An array can be used for local data. There are two supported formats:

  • An array of strings: [ "Choice1", "Choice2" ]
  • An array of objects with label and value properties: [ { label: "Choice1", value: "value1" }, ... ]

The label property is displayed in the suggestion menu. The value will be inserted into the input element when a user selects an item. If just one property is specified, it will be used for both, e.g., if you provide only value properties, the value will also be used as the label.

Source: http://api.jqueryui.com/autocomplete/#option-source

So change desc1 to label and should work fine. I was testing with a custom table which had a label column, so the issue didn't show up to me.

Do:

<script type="text/javascript">
    $(function() {

        $("#party").autocomplete({
            minLength: 0,
            source: "autocomplete.php",
            focus: function(event, ui) {
                $("#party").val(ui.item.label);
                $("#code").val(ui.item.code);
                return false;
            },
            select: function(event, ui) {
                $("#party").val(ui.item.label);
                $("#code").val(ui.item.code);
                return false;
            }
        })
    });
</script>

And in the PHP side:

$i = 0;
while($row=sqlsrv_fetch_array($select)) 
{
    $data[$i]['code']  = $row['code'];
    $data[$i]['label'] = $row['desc1'];
    $i++;
}

Read More

Look, it works fine for me. Do this: open the Web Developer Console which is available in Google Chrome, Chromium and Mozilla Firefox, hit the Network tab and enter a letter in the autocomplete input field, you should see a request to the server, hit the request link and click the Response tab, you should see a JSON object with the rows.

Read More

Hi,

check the source of the custom data example in the autocomplete JQueryUI documentation:

The select property should fit your requirements:

select: function( event, ui ) {
    $( "#project" ).val( ui.item.label );
    $( "#project-id" ).val( ui.item.value );
    $( "#project-description" ).html( ui.item.desc );
    $( "#project-icon" ).attr( "src", "images/" + ui.item.icon );

    return false;
  }

Another example: https://jsfiddle.net/0wdbgage/

Read More

Hi,

with browsers requests, the server can only accept the upload and check the sizes when it finishes. So, if you want to manage the error through PHP, raise the size and set a lower limit in the script.

If the limit in the php.ini file is 25MB and the server gets a bigger request body, then you will not see an error response. But the error log should return some information. The server can also handle the request by limiting the body request size and return an error.

You can check the file size with javascript, before the upload starts, see this snippet:

This will not stop malicious users, but it can be user-friendly solution.

<rant>
If browsers worked properly then they would wait for a HTTP/1.1 100 CONTINUE response from the server: the client in this case must send the file size through an header, wait for the server to validate the request and then proceed or discard. That would be wonderful to save bandwidth.
</rant>

Read More

Comments
good link - bookmarked :)
Re:

Hi Dani! :D

I have few points:

A

I still not receive emails (newsletter, notifications) with my registration email address (the Receive Community-related Email? issue). I only receive the monthly newsletter with the email address of the other account. To watch an article I have to use that account from another browser, otherwise I don't get anything.

B

My old private messages are all in the other account.

C

I edited my Dazah profile to NOT display my name, but here in the forum is still shown in my Profile & CV pages.

Sincerly, I'm here just to ask or reply few questions in the forums, not to network. I think I've understood what you want to achieve, but these changes made me feel a bit unconfortable.

Read More

-sigh-
Why is it so, that when there's an issue, people look all around :D, but not on the issue.

lol, I asked because I do not know how you are implementing that statement and what you really expect to get. What do you mean by true 404? A redirect to the 404 error page defined by the server?

This:

While Opera fools itself, Firefox doesn't. It shows just super-empty document (not 404, but also not even standard CSS stylesheet). How do I successfully send "404 Not Found" to ALL browser.

is not a useful information, to understand your issue.

Look, to me it's easier to move the includes scripts into a separated directory, then use .htaccess to deny direct access to that directory, so it cannot be accessed through the browser.

This solution does not require to modify the scripts, so nothing like the header() 404 statement, if really needed you could force it through .htaccess and send a more appropriate 403 or even 404.

It's even better if you move the includes directory to the parent of the public_html directory, which if correctly set, is not accessible by the browsers, that way you don't even need to use .htaccess file to define what is accessible and what not.

Read More

Comments
GSOH!

Hi,

have you tried the web developer console integrated in your browser (Mozilla Firefox, Chrome, Chromium) to see if the javascript code is raising some errors?

Can you provide a live example?

Besides, test your script with a simple HTML form, you will see there are at least few issues:

Issue 1

move_uploaded_file($_FILES["fileUpload"]["tmp_name"],WWW_ROOT.$dirname."/".$_FILES["file"]["name"]);

In the first parameter you refer to fileUpload, in the second to file, so it's like if your are trying to get the values from two different arrays. Fix them to match fileUpload as defined in the javascript.

Issue 2

This involves multiple lines:

/// client side
<input id="serverUrl" type="text" value="http://sample.com/mobile_app/upload_img.php" />

/// server side
$dirname = "./user_img";
mkdir ($dirname, 0777, true); 
move_uploaded_file($_FILES["fileUpload"]["tmp_name"],WWW_ROOT.$dirname."/".$_FILES["file"]["name"]);

If you define $dirname with a relative path, then the upload_img.php script will create the directory inside his own path, so you end with:

/mobile_app/user_img/

The move_uploaded_file() function, instead, points to the document root, and you get something like this:

/./user_img/

The mover function will not find the path, so it will fail to complete the task. However, the $_FILES array gets populated before these things happen, so it may not affect your current issue.

Issue 3

The mkdir() will raise a warning as soon you run the script successfully for the second time, because the path already exists. Use file_exists() to verify if it exists, or just create it manually and remove mkdir().

Read More

@zebnoon1 Hi, you were asked multiple times, to reply to some questions with useful information. Calmly read again Pritaeas posts and reply to his requests.

For example, he asked:

What size is the downloaded file?

So the downloaded .pdf file is 0 bytes, few bytes and when opens is like corrupted? Have you tried to open the file into your PHP editor? Because it could be a plain-text file (with .pdf extension) and more importantly with a PHP error generated by your script. If this is so, then that error could help a lot to understand what happens.

So read again Pritaeas posts and reply to his requests.

Read More

Comments
:)