|
Knyteguy posted:Is that Tech 9 in your avatar? It's Thelonious Monk... but anyhow my days of being reddited and boinged and stumbled are over for the moment. When that was going on, it was a Wordpress site, uncached, running on Apache, with ~10 ajax requests per pageview. They advertise unlimited bandwidth, but when that sort of traffic happens to you they shut you down right fast. Since those days I have got myself a job with a lot of bandwidth and have learned the joy of nginx, but I still keep my HostPapa domains around (anyone interested in "terrifi.ca"?)
|
# ? Jan 18, 2012 07:31 |
|
|
# ? Jun 6, 2024 19:41 |
|
I know cakephp is not the framework to get into, but I'm on a project that is using it. Can anyone recommend me a solid forums group to ask questions when I run into problems? I think my problem is pretty basic, but i'm having a hard time conveying it or even showing code, because of all the places i have to make changes to(controllers, views, routes).
|
# ? Jan 18, 2012 19:19 |
|
I'm using DataTables with an ajax data source which is a JSON array of objects. One of my problems is that I'm trying to return HTML on one of the values so that it is a link in my table instead of text. The problem is that json_encode() escapes slashes. to counter this I did: php:<? $contracts = json_encode($contracts); echo stripslashes($contracts); ?> I'm very lovely when it comes to keeping things safe and escaped but I want the value to be a link.
|
# ? Jan 18, 2012 19:36 |
|
Does anyone here use Zend? I'm trying to preserve newlines in text inserted into a database and they're passed through fine right until they hit the part where they actually get inserted, where it looks like Zend_Db's adapter automatically converts them all to <br/>s. I've been up and down the code to no avail and the Zend documentation isn't particularly useful; is this standard behaviour, and can it be easily switched off?
|
# ? Jan 18, 2012 23:54 |
|
I've used Zend_Db in a few things and have never seen that behavior, ever. Can you provide a reduced test case?
|
# ? Jan 19, 2012 01:16 |
|
McGlockenshire posted:I've used Zend_Db in a few things and have never seen that behavior, ever. Thanks anyway. If I can't track it down I'll come back with a test case.
|
# ? Jan 19, 2012 08:45 |
|
I'm using cake php and I'm trying to link an image to another image with lightbox.code:
Any help is appreciated
|
# ? Jan 20, 2012 17:52 |
|
Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere. They're on: - cPanel 11.30.5 (build 6) - Apache 2.0.63 - PHP 5.2.14 - MySQL 5.0.92-community - Perl 5.8.8 - RHEL5 2.6.18-194.11.3.el5 The 'hack' is that once a month (same day 3 months so far) someone gets in somehow and makes a 'flickr.com' and 'blogger.com' folder in the public_html root. Then, 3 days later, if those directories still exist, they'll insert some files that allow them to 1) upload their own files (in flickr.com) and 2)make database queries (in blogger.com). These appear to be .gifs/.jpgs using some kind of mime type exploit with commands base64 encoded at the end of the binary file. In a way I don't care about the latter part, because I want to stop them from making the files/folders in the first place. I'm pretty good with (Windows+.Net) security, but am pretty well out to sea on this Lunix/php stuff. What I've done (based on googling around): 1. Moved the admin code for cPanel into a different directory and reset the permissions 2. Changed the password on the 'main' cpanel account (they were using it as their FTP account. Over wireless.), made separate new FTP accounts so the 'main' cpanel account is never used over cleartext again 3. Checked all files modified past date (x) (nothing related found) 4. Checked all database rows modified past date (x) (nothing related found) Since I've done this the two folders have appeared again, same day as the previous two months. Has anyone run across this before?
|
# ? Jan 21, 2012 09:01 |
|
Scaramouche posted:Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere.
|
# ? Jan 21, 2012 09:39 |
|
I found that pretty early on (when looking up base64 image exploits) but Timthumb was never used on this system. Also, that part seems to come after; after they're able to make these folders.
|
# ? Jan 21, 2012 09:54 |
|
What "website" is running on the host? By this I mean: what software is exposed on the internet. Some website-thingies are built horribly and allow for tons of security flaws; like uploads with faked filenames ("../../../index.php" for example) etc etc. So make sure it's set up right and you know what software is running. Many web-software things are vulnerable to nonsense like this. geonetix fucked around with this message at 10:57 on Jan 23, 2012 |
# ? Jan 21, 2012 10:30 |
|
Scaramouche posted:Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere. They're on: Did your friend actually clean out or re-image the server after getting hacked? There might still be something on there.
|
# ? Jan 23, 2012 01:54 |
|
Scaramouche posted:Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere. They're on: There's a netsec thread starting in SH/SC that might be a good place to ask: http://forums.somethingawful.com/showthread.php?threadid=3455244 I'd begin by hitting the site with every scanner you can think of, starting with something like nessus.
|
# ? Jan 23, 2012 15:39 |
|
Sorry for the delay guys, I was super sick over the weekend. To try and answer in order: Geonetix: The application running on the server is a simple php based wordpress/cms site, with some custom content pages. So that means there's a database too. I've already looked over the sql calls (there's not that many files/pages total) and there's nothing I can see from an injection standpoint. Attack surfaces are the php pages, wordpress, one email signup form, the cpanel management app, the ftp server. Haywood Japwnme: It wasn't re-imaged, but like I said this is a really small site (less than 200 files) and I was able to inspect just about everything manually. I'm also not 'officially' maintaining it or anything, a friend just asked me to take a look at it and see if I can figure out why this is happening. Bob_Morales: Thanks for the advice, I'll have to check that out as well. To everyone, thanks for the input. I wasn't expecting you guys to magically solve the problem; my faint hope was someone would say 'hmm, flickr and blogger folders out of nowhere? that sounds like exploit (xyz) that you can fix by updating (abc)!'. E.g., the easy way.
|
# ? Jan 23, 2012 19:43 |
|
Scaramouche posted:It wasn't re-imaged, but like I said this is a really small site (less than 200 files) and I was able to inspect just about everything manually. I'm also not 'officially' maintaining it or anything, a friend just asked me to take a look at it and see if I can figure out why this is happening.
|
# ? Jan 23, 2012 20:36 |
|
This might be too fiddly to bother with much longer, but I'm trying to call a binary CGI script from PHP and output the code, without involving Apache. Currently it works if I do:php:<? readfile('http://localhost/cgi-bin/whatever.exe?param=foo')?> php:<? passthru('/path/to/cgi-bin/whatever.exe -param=foo')?> but the CGI script doesn't seem to pull its parameters that way. I'm pretty much a total blank slate when it comes to CGI. A possible hint, the app I'm hacking on has a bit of Perl code that looks like: code:
EDIT: Got it. Maybe not the cleanest or by-the-book, but it works: php:<? $params = "foo=bar&baz=quux"; $cmd = "LD_LIBRARY_PATH=/usr/local/app/lib/:/usr/lib:/usr/local/lib REQUEST_METHOD=GET " ."QUERY_STRING=".escapeshellarg($params) .' ' ."/usr/local/app/cgi-bin/whatever.exe"; passthru($cmd); ?> Tad Naff fucked around with this message at 23:14 on Jan 23, 2012 |
# ? Jan 23, 2012 21:00 |
|
McGlockenshire posted:Is this on shared hosting? (Given the cPanel mention...) If so, it's possible or even likely that the exploit is somewhere else on the machine. Yeah that's my next step, but would prefer to have a smoking gun of some kind before going to the hosts. But that'll basically be what happens if I eliminate most other possibilities.
|
# ? Jan 23, 2012 21:10 |
|
Scaramouche posted:Yeah that's my next step, but would prefer to have a smoking gun of some kind before going to the hosts. But that'll basically be what happens if I eliminate most other possibilities. The most common thing I see in a shared environment is either c99,r57 or SyRiAn Sh3ll shells. These are usually placed in a wp-theme cache directory of an unpatched wordpress install or if you're using a bad version of timthumb. On a properly configured system, those scripts won't allow a hacker to do any damage to the system or other users, but they can end up sending shitloads of spam from your account. It also allows a web based front end for your account allowing them to upload files, create directories and do just about anything you can do from command line or the cPanel file manager. In the event the host you are on now doesn't have specific functions disabled in PHP, this attack could be coming from another account. Its also possible the server itself is compromised. This is what I'd do in your situation. Login to cPanel, download a full account backup. Submit a ticket with your host and ask them to nuke your account and reprovision it. Then I'd create the databases from scratch, upload the sql backups via phpmyadmin or command line if you have it. Then install a fresh clean copy of wordpress and use the default theme for a couple of days. See if the files/folders come back. Don't upload any of your files you downloaded unless you have confirmed they are legit and don't have anything malicious in them. DarkLotus fucked around with this message at 22:03 on Jan 23, 2012 |
# ? Jan 23, 2012 21:50 |
|
Anybody here use RedBean for their ORM? I love it, its awesome, simple. Its super lightweight and doesn't have the query functions I'm used to from Django, but drat, for a drop-in replacement, RedBean is near impossible to beat.
|
# ? Jan 24, 2012 07:54 |
|
Does anybody know where to find docs about the ExpressionEngine super object? Having trouble finding information.
|
# ? Jan 27, 2012 03:39 |
|
I'm processing employment applications for a client and we're allowing applicants to attach their resumes (pdf/doc/docx files). For the sake of simplicity, I'm storing the documents as blob elements in the database and storing the file type in the db so that it can be downloaded later on using the header function. When I test the system it seems to work fine for all the allowed formats. However, a few people have uploaded files (only doc,docx or pdf extensions are allowed) the file type comes through as "application/octet-stream" and those won't open when I download them. I can't tell if the problem is in the upload function or if I'm doing something wrong on the download side. I can't seem to recreate the problem, either. Any ideas?
|
# ? Jan 27, 2012 23:39 |
|
klem_johansen posted:I'm processing employment applications for a client and we're allowing applicants to attach their resumes (pdf/doc/docx files). For the sake of simplicity, I'm storing the documents as blob elements in the database and storing the file type in the db so that it can be downloaded later on using the header function. When I test the system it seems to work fine for all the allowed formats. you might have to build the headers yourself and send out one of the following (pdf, doc, docx respectively): application/pdf application/msword application/vnd.openxmlformats-officedocument.wordprocessingml.document http://en.wikipedia.org/wiki/Internet_media_type e: i have no idea if i read your question correctly. it sounds like some peoples browsers are uploading the files with a dumb media type and you should choose the correct media type based on the file extension rather than what their dumb browser told you
|
# ? Jan 27, 2012 23:43 |
|
mewse posted:you might have to build the headers yourself and send out one of the following (pdf, doc, docx respectively): The upload code grabs the content-type header from the original file and stores it in the DB and then just recreates it on the way back. Could it be that the browser is reporting the file as octet-stream because there IS no extension? That's something I have not tried yet.
|
# ? Jan 27, 2012 23:56 |
|
klem_johansen posted:The upload code grabs the content-type header from the original file and stores it in the DB and then just recreates it on the way back. Shame that it's in a DB, otherwise you could just use mime_content_type() on the file and it wouldn't matter what extension it had. Probably the best thing would be to run mime_content_type() on the temp uploaded file and use that value to insert in the database, rather than what the client says.
|
# ? Jan 28, 2012 00:14 |
|
yeeeahh.. Don't Trust The Client
|
# ? Jan 28, 2012 00:28 |
|
I think the problem may have been that I was inadvertently escaping the file contents. I added an exception handler to un-escape the handful of files that were uploaded before the fix and now everything seems fine. As an extra measure, though, I'm storing them as flat files in a secure directory and also in the db, so if something does get corrupted I have a fallback. Now I will sleep.
|
# ? Jan 28, 2012 05:50 |
|
If I have a bunch of variables in an include file, is there a way to access those variables directly from within another function? Something like this:code:
This is probably very obvious but today is my first day with PHP so...yeah.
|
# ? Jan 29, 2012 20:28 |
|
Oxford Comma posted:If I have a bunch of variables in an include file, is there a way to access those variables directly from within another function? Something like this: Try this: code:
http://us3.php.net/manual/en/language.variables.scope.php
|
# ? Jan 29, 2012 21:19 |
|
If $x is a variable that is supposed to modify the behaviour of the function, then it is generally considered proper to pass it as a parameter to the function, as in the following code.code:
Another possibility, if $x is something that will be defined once and then won't change (and provided it's a scalar value, i.e. not an object nor an array) is that you can define it as a constant. If you do that, then you do not need to declare it global. code:
|
# ? Jan 29, 2012 22:18 |
|
Token cautionary point: Global variables are brittle little horrors that will pile up and make your application unmaintainable. The more information you keep in the global scope, the harder it's going to be to refactor things into any semblance of sanity. The same goes for Singletons and sometimes the Registry pattern. There's usually a better way to deal with the problem.
|
# ? Jan 30, 2012 04:02 |
|
Not so much a coding question here, but I was hoping to get some opinions. Right now I run a website that has it's own authentication system in CodeIgniter. It's come time I feel I need some forums. Rolling my own forums seems silly with such great software already out there, bug tested, and feature filled. However I don't want to burden my users with multiple sign ons. So after Googling the only real solution I've come across is Vanilla forums. http://vanillaforums.org Has anyone here ever used it? Is it recommended or terrible? They have a paid hosted solution so I imagine it must be decent. I'm specifically interested because it has a premade single sign on module that should integrate well with my current setup. You can read about that here http://vanillaforums.org/docs/singlesignon Any other ideas are also welcome. I'm not interested in vbulletin as it's drat pricey for a site I make no profit off of.
|
# ? Jan 30, 2012 17:22 |
|
vB is horrible crap, if you're going to pay for something use IPB.
|
# ? Jan 30, 2012 17:27 |
|
I'm really not interested in paying for anything as of yet. The small ad revenue on my site barely covers the costs. I only mentioned VB is it is well known and has the functionality I described. A free solution would be ideal.
|
# ? Jan 30, 2012 17:45 |
|
Vanilla and phpBB are pretty much your only options that are both free and Free and worth the time and effort. Be warned that Vanilla is a very non-standard experience for new users, but be warned that phpBB's code sucks.
|
# ? Jan 31, 2012 07:30 |
|
Biowarfare posted:vB is horrible crap, if you're going to pay for something use IPB. Isn't IPB just as lovely? I haven't used it since back when it was free, so they may have improved it. But it was pretty awful back then.
|
# ? Jan 31, 2012 20:20 |
|
Optimus Prime Ribs posted:Isn't IPB just as lovely?
|
# ? Jan 31, 2012 20:29 |
|
Optimus Prime Ribs posted:Isn't IPB just as lovely? IPB is pretty great actually. I've been using it for a few years now and it hasn't failed me. The new spam monitoring stuff is pretty handy and the forums, overall, are very sleek.
|
# ? Feb 2, 2012 00:45 |
|
Just want to share one of the best (and easiest to use) classes for password security I've found: https://github.com/tom--/Randomness It's built to be used for the Yii Framework, but you can easily modify it to work in any application. quote:There are many tutorials and examples that show storage of passwords in a table.
|
# ? Feb 6, 2012 18:10 |
|
Here's a slightly older bcrypt PHP class that works with any framework: http://www.openwall.com/phpass/
|
# ? Feb 6, 2012 18:24 |
|
|
# ? Jun 6, 2024 19:41 |
|
Make sure you've turned off compat mode in phpass, otherwise you get something objectively inferior to Blowfish. If you have nothing that can provide Blowfish, then something that implements PBKDF2 is going to be a better bet. I'm a fan of CryptLib, as it also can interpret passwords generated by many other popular hashing schemes.
McGlockenshire fucked around with this message at 19:45 on Feb 6, 2012 |
# ? Feb 6, 2012 19:42 |