Lavalair Mods...

**something else** · 23.07.10, 17:17

thinking about above post ... migfht be better having a file:
antiinjection.php

PHP Code:


<?php

if(isset($_REQUEST)){foreach($_REQUEST as $key=>$value){$_REQUEST[$key]=mysql_real_escape_string(htmlspecialchars($value));}} 

if(isset($_SERVER)){foreach($_SERVER as $key=>$value){$_SERVER[$key]=mysql_real_escape_string(htmlspecialchars($value));}}

if(isset($_SESSION)){foreach($_SESSION as $key=>$value){$_SESSION[$key]=mysql_real_escape_string(htmlspecialchars($value));}}

?>

then just using:

PHP Code:


include 'antiinjection.php';

at the top of every page

**something else** · 23.07.10, 17:27

yeah you could just add:

PHP Code:


if(isset($_GET)){foreach($_GET as $key=>$value){$_GET[$key]=addslashes(htmlspecialchars($value));}} 

if(isset($_POST)){foreach($_POST as $key=>$value){$_POST[$key]=addslashes(htmlspecialchars($value));}}    

if(isset($_SERVER)){foreach($_SERVER as $key=>$value){$_SERVER[$key]=addslashes(htmlspecialchars($value));}}  

if(isset($_SESSION)){foreach($_SESSION as $key=>$value){$_SESSION[$key]=addslashes(htmlspecialchars($value));}}

to your config.php

**khan** · 23.07.10, 19:18

Originally posted by something else View Post

thinking about above post ... migfht be better having a file:
antiinjection.php

PHP Code:


<?php

if(isset($_REQUEST)){foreach($_REQUEST as $key=>$value){$_REQUEST[$key]=mysql_real_escape_string(htmlspecialchars($value));}} 

if(isset($_SERVER)){foreach($_SERVER as $key=>$value){$_SERVER[$key]=mysql_real_escape_string(htmlspecialchars($value));}}

if(isset($_SESSION)){foreach($_SESSION as $key=>$value){$_SESSION[$key]=mysql_real_escape_string(htmlspecialchars($value));}}

?>

then just using:

PHP Code:


include 'antiinjection.php';

at the top of every page

I you do that, some value will not work. like intejer, numeric value..bla bla bla

**something else** · 23.07.10, 19:53

Originally posted by riderz

dont work when i add that in confic it show error msges saying no password

Code:

for user '..........'@'localhost' (using password: NO) in /home/............./public_html/config.php on line 16

Place it below your database connection :P

**nclemale36** · 28.07.10, 18:11

Code:

///////////////////////////////del one persons messages
else if($action=="delonemsg")
{
  $who = $_GET["who"];
  $user = getnick_uid($who);
  echo "<head>";
  echo "<title>Owner Tools</title>";
  echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../themes/$theme[0]\">";
  echo "</head>";
  echo "<body>";
  echo "<p align=\"center\">";
  $uid = getuid_sid($sid);
  $perm = mysql_fetch_array(mysql_query("SELECT perm FROM ibwf_users WHERE id='".$uid."'"));
  $trgtperm = mysql_fetch_array(mysql_query("SELECT perm FROM ibwf_users WHERE name='".$user."'"));

  if($trgtperm>$perm){ 
  echo "<b><img src=\"../images/notok.gif\" alt=\"x\"/><br/>Error!!!<br/>permission Denied...</b><br/>";
  echo "<br/>U Cannot Delete $user<br/>";
  echo "<a href=\"index.php?action=main&amp;sid=$sid\"><img src=\"../images/home.gif\" alt=\"\"/>Home</a>";
  echo "</p>";
  }else{

  echo "<br/>";
$res = mysql_query("DELETE FROM ibwf_private WHERE byuid='".$who."'");
  $res = mysql_query("DELETE FROM ibwf_popups WHERE byuid='".$who."'");

 if($res)
  {
  echo "<img src=\"../images/ok.gif\" alt=\"O\"/>Users messages deleted successfully";
mysql_query("INSERT INTO ibwf_mlog SET action='users pms ', details='<b>".getnick_uid(getuid_sid($sid))."</b> $user messages deleted', actdt='".time()."'");
  }else{
  echo "<img src=\"../images/notok.gif\" alt=\"X\"/>Error deleting UGroup";
  }
 
  echo "<b>0 </b><a accesskey=\"0\" href=\"index.php?action=main&amp;sid=$sid\"><img src=\"../images/home.gif\" alt=\"\"/>Home</a>";
  }
  echo "</p></body>";
}

usage

Code:

echo "<a href=\"yourtools.php?action=delonemsg&amp;sid=$sid&amp;who=$who\">Delete All Users Messages</a><br/>";

lets say someone spams your site and no one catches them doing it for ages. they will of spammed alot of users. this can delete just that users sent messages no one elses .the only other way of clesring one persons messages is to delete the user .

**pmbguy** · 06.08.10, 10:23

user avatar function... safe and easy...
////////////////////////////////////////////getavatar///////////////
function useravat($uid)
{
$avat = mysql_fetch_array(mysql_query("SELECT avatar FROM fun_users WHERE id='".$uid."'"));

$avatar = "<img src=\"phpThumb/phpThumb.php?iar=1&w=40&src=$avat[0]\">";
return $avatar;

}
/////////////////////////////////////////////////////////
to use:
echo useravat($who); or $uid or whatever...

**subzero** · 06.08.10, 11:03

@nclemale36

Code:

@mysql_query("TRUNCATE TABLE `chat4u_UserPms`");

This will clean users inbox at one hit ....

Also note it will delete all and keeps the sql

But your way it only deletes some but not all best idea for busy site's over 1 MILL users will use this

**opticalpigion** · 06.08.10, 11:38

Sql/Xss injection protection + registration flood protection.

captcha.php

PHP Code:


<?

session_start();

header('content-type: image/jpeg');

$text = rand(10000,99999);

$_SESSION["vercode"] = $text;



$height = 25;

$width = 65;



$image_p = imagecreate($width, $height);

$black = imagecolorallocate($image_p, 0, 0, 0);

$white = imagecolorallocate($image_p, 255, 255, 255);

$font_size = 14; 

imagestring($image_p, $font_size, 5, 5, $text, $white);

imagejpeg($image_p, null, 80);

?>

register-form.php

PHP Code:


<?php

    session_start();

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Registration Form</title>

<link href="style.css" rel="stylesheet" type="text/css" />

</head>

<body>

<?php

    if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {

        echo '<p align=\"center"\>';

        echo '<ul class="err">';

        foreach($_SESSION['ERRMSG_ARR'] as $msg) {

            echo '<li>',$msg,'</li>'; 

        }

        echo '</ul>';

        echo '</p>';

        unset($_SESSION['ERRMSG_ARR']);

    }

?>

<form id="loginForm" name="loginForm" method="post" action="register-exec.php">

  <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">

    <tr>

      <th>Email Address</th>

      <td><input name="email" type="text" class="textfield" id="fname" /></td>

    </tr>

     <tr>

      <th width="124">User ID</th>

      <td width="168"><input name="login" type="text" class="textfield" id="login" /></td>

    </tr>

    <tr>

      <th>Password</th>

      <td><input name="password" type="password" class="textfield" id="password" /></td>

    </tr>

    <tr>

      <th>Confirm Password </th>

      <td><input name="cpassword" type="password" class="textfield" id="cpassword" /></td>

    </tr>

    <tr>

    <tr>

      <th>Human Test</th>

     <td><img src="captcha.php"><input type="text" name="vercode" /><br>   </td>  </tr>

    <tr>

      <td>&nbsp;</td>

      <td><input type="submit" name="Submit" value="Register" /></td>

    </tr>

  </table>

</form>

</body>

</html>

register-exec.php

PHP Code:


<?php

    //Start session

    session_start();



    //Include database connection details

    require_once('config.php');

    

    //Array to store validation errors

    $errmsg_arr = array();

    

    //Validation error flag

    $errflag = false;

    

    //Connect to mysql server

    $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);

    if(!$link) {

        die('Failed to connect to server: ' . mysql_error());

    }

    

    //Select database

    $db = mysql_select_db(DB_DATABASE);

    if(!$db) {

        die("Unable to select database");

    }

    

    //Function to sanitize values received from the form. Prevents SQL/XSS injection

function clean($str) {

        $str = @trim($str);

        if(get_magic_quotes_gpc()) {

            $str=htmlspecialchars($str);                       

            $str=stripslashes(trim($str));

            $search=array("\\","\0","\n","\r","\x1a","'",'"');

            $replace=array("\\\\","\\0","\\n","\\r","\Z","\'",'\"');

            $str = str_replace($search,$replace,$str);

        }

        return mysql_real_escape_string($str);

    }

    

    //Sanitize the POST values

    $email = clean($_POST['email']);

    $login = clean($_POST['login']);

    $password = clean($_POST['password']);

    $cpassword = clean($_POST['cpassword']);



    //Input Validations

    if ($_POST["vercode"] != $_SESSION["vercode"] OR $_SESSION["vercode"]=='')  { 

     $errmsg_arr[] = 'Failed Human Test.';

        $errflag = true;

} 

    if($email == '') {

        $errmsg_arr[] = 'Email Add is missing';

        $errflag = true;

    }

    

    if($login == '') {

        $errmsg_arr[] = 'Login ID missing';

        $errflag = true;

    }

    if($password == '') {

        $errmsg_arr[] = 'Password missing';

        $errflag = true;

    }

    if($cpassword == '') {

        $errmsg_arr[] = 'Confirm password missing';

        $errflag = true;

    }

    if( strcmp($password, $cpassword) != 0 ) {

        $errmsg_arr[] = 'Passwords do not match';

        $errflag = true;

    }

    

    //Check for duplicate login ID

    if($login != '') {

        $qry = "SELECT * FROM ibwf_users WHERE name='$login'";

        $result = mysql_query($qry);

        if($result) {

            if(mysql_num_rows($result) > 0) {

                $errmsg_arr[] = 'Login ID already in use';

                $errflag = true;

            }

            @mysql_free_result($result);

        }

        else {

            die("Query failed");

        }

    }

    

    //If there are input validations, redirect back to the registration form

    if($errflag) {

        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;

        session_write_close();

        header("location: register-form.php");

        exit();

    }



    //Create INSERT query

    $qry = "INSERT INTO ibwf_users(email, validated, name, pass) VALUES('$email','1','$login','".md5($_POST['password'])."')";

    $result = @mysql_query($qry);

    

    //Check whether the query was successful or not

    if($result) {

        header("location: register-success.php");

        exit();

    }else {

        die("Query failed");

    }

?>

register-success.php

PHP Code:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Registration Successful</title>

<link href="style.css" rel="stylesheet" type="text/css" />

</head>

<body>

<h1>Registration Successful</h1>

<p><a href="index.php">Click here</a> to login to your account.</p>

</body>

</html>

to scan more input value u can use this function

PHP Code:


function clean($str) {

        $str = @trim($str);

        if(get_magic_quotes_gpc()) {

            $str=htmlspecialchars($str);                       

            $str=stripslashes(trim($str));

            $search=array("\\","\0","\n","\r","\x1a","'",'"');

            $replace=array("\\\\","\\0","\\n","\\r","\Z","\'",'\"');

            $str = str_replace($search,$replace,$str);

        }

        return mysql_real_escape_string($str);

    }

use as

PHP Code:


$email = clean($_POST['email']);

**something else** · 21.08.10, 02:17

Originally posted by shakil420

yeah thanx bro....is it possible.....suppose if any user change his browser then his session automatically dropped??? like in opera ----> 420.com/index.php?action=main&sid=420420420420 then when he tried to paste the link with others opera/mozilla browsers like in mozilla -----> 420.com/index.php?action=main&sid=420420420420

then it shows "hei 420 site sid proteced lol"

if u know the code trhen post pls

PHP Code:


$bro = mysql_fetch_array(mysql_query("SELECT browserm FROM ibwf_users WHERE id='".$uid."'"));

$brws = $_SERVER['HTTP_USER_AGENT'];

if($bro[0]!=$brws){

echo "hei 420 site sid proteced lol";

exit;

}

**kafa** · 22.08.10, 14:16

I need some advice or help:

how to speed up the function that displays number of topics, number of posts and the last post (nick and time) of the subforum on my web extension of lava (trying to make it phpBB like)?

I am using this code:

PHP Code:


$forums = mysql_query("SELECT id, name FROM ibwf_forums WHERE cid='".$cid."' AND clubid='0' ORDER BY position, id, name");

    while($forum = mysql_fetch_array($forums))
    {
      if(canaccess(getuid_sid($sid), $forum[0]))
      {
      $notp = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ibwf_topics WHERE fid='".$forum[0]."'"));
      $nops = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ibwf_posts a INNER JOIN ibwf_topics b ON a.tid = b.id WHERE b.fid='".$forum[0]."'"));
      $iml = "<img src=\"images/1.gif\" alt=\"*\"/> ";

      $lpt = mysql_fetch_array(mysql_query("SELECT id, name FROM ibwf_topics WHERE fid='".$forum[0]."' ORDER BY lastpost DESC LIMIT 0,1"));
      $nops0 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ibwf_posts WHERE tid='".$lpt[0]."'"));
      if($nops0[0]==0)
      {
      $pinfo = mysql_fetch_array(mysql_query("SELECT authorid FROM ibwf_topics WHERE id='".$lpt[0]."' LIMIT 0,1"));
      }
      else
      {
      $pinfo = mysql_fetch_array(mysql_query("SELECT uid FROM ibwf_posts WHERE tid='".$lpt[0]."' ORDER BY dtpost DESC LIMIT 0,1"));
      }
      $tlnm = htmlspecialchars($lpt[1]);
      $tlnick = getnick_uid($pinfo[0]);
      $tpclnk = "<a href=\"index.php?action=viewtpc&amp;sid=$sid&amp;tid=$lpt[0]&amp;go=last\">$tlnm</a>";
      $vulnk = "<a href=\"index.php?action=viewuser&amp;sid=$sid&amp;who=$pinfo[0]\">$tlnick</a>";
      
    echo "<tr>
    <td valign=\"middle\" width=\"25\">&nbsp;$iml</td>
    <td align=\"left\" width=\"200\" class=\"sjena\">&nbsp;<a href=\"index.php?action=viewfrm&amp;sid=$sid&amp;fid=$forum[0]\">$forum[1]</a></td>
    <td width=\"50\" align=\"center\" class=\"sjena\">$notp[0]</td>
    <td width=\"60\" align=\"center\" class=\"sjena\">$nops[0]</td>
    <td align=\"right\" class=\"style12\">$tpclnk&nbsp;<br/>od: $vulnk&nbsp;</td>
    </tr><tr><td colspan=\"5\"><hr></td></tr>";
    }
    }

and preview how slow it is can be seen here: MERAK.mobi

**shakil420** · 22.08.10, 17:00

@ thank u for the post something else bro ///

PHP Code:


if($bro[0]!=$brws)

in the code (!= ) what it means?? not equal?? when i use the code it always show hei 420 site sid proteced lol though i use same browser.... reply soon thank u

**something else** · 22.08.10, 17:44

yes it means not equal

oh the original script explodes browser name try:

PHP Code:


$bro = mysql_fetch_array(mysql_query("SELECT browserm FROM ibwf_users WHERE id='".$uid."'")); 

$brws = $_SERVER['HTTP_USER_AGENT']; 

$brws = explode(" ", $brws);

if($bro[0]!=$brws[0]){ 

echo "hei 420 site sid proteced lol"; 

exit; 

}

Added after 32 minutes:

Originally posted by kafa View Post

I need some advice or help:

how to speed up the function that displays number of topics, number of posts and the last post (nick and time) of the subforum on my web extension of lava (trying to make it phpBB like)?

Try This I havent Tested it:

PHP Code:


$forums = mysql_query("SELECT id, name FROM ibwf_forums WHERE cid='".$cid."' AND clubid='0' ORDER BY position, id, name");

    while($forum = mysql_fetch_array($forums))

    {

      if(canaccess(getuid_sid($sid), $forum[0]))

      {

      $notp = mysql_fetch_array(mysql_query("SELECT COUNT(*), id, name FROM ibwf_topics WHERE fid='".$forum[0]."'"));

      $nops = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ibwf_topics WHERE tid='".$notp[1]."'"));

      if($nops[0]==0)

      {

      $pinfo = mysql_fetch_array(mysql_query("SELECT authorid FROM ibwf_topics WHERE id='".$notp[1]."'"));

      }else{

      $pinfo = mysql_fetch_array(mysql_query("SELECT uid FROM ibwf_posts WHERE tid='".$notp[1]."'"));

      }

    echo "<tr>

    <td valign=\"middle\" width=\"25\">&nbsp;<img src=\"images/1.gif\" alt=\"*\"/></td>

    <td align=\"left\" width=\"200\" class=\"sjena\">&nbsp;<a href=\"index.php?action=viewfrm&amp;sid=$sid&amp;fid=$forum[0]\">$forum[1]</a></td>

    <td width=\"50\" align=\"center\" class=\"sjena\">$notp[0]</td>

    <td width=\"60\" align=\"center\" class=\"sjena\">$nops[0]</td>

    <td align=\"right\" class=\"style12\">

    <a href=\"index.php?action=viewtpc&amp;sid=$sid&amp;tid=$lpt[1]&amp;go=last\">".htmlspecialchars($notp[2])."</a> &nbsp;<br/>

    od: <a href=\"index.php?action=viewuser&amp;sid=$sid&amp;who=$pinfo[0]\">".getnick_uid($pinfo[0])."</a> &nbsp;</td>

    </tr><tr><td colspan=\"5\"><hr></td></tr>";

    }

    }

**kafa** · 22.08.10, 18:12

Originally posted by something else View Post

Try This I havent Tested it:

PHP Code:


      $notp = mysql_fetch_array(mysql_query("SELECT COUNT(*), id, name FROM ibwf_topics WHERE fid='".$forum[0]."'"));
      $nops = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ibwf_topics WHERE tid='".$notp[1]."'"));

It does'nt work cus of this part: SELECT COUNT(*), id, name FROM ibwf_topics returns => mysql_fetch_array(): supplied argument is not a valid MySQL result resource

**subzero** · 22.08.10, 18:35

COUNT(*), id, name <-- Wrong!
COUNT('id','name') <-- Right

**something else** · 22.08.10, 18:58

oops:

PHP Code:


$forums = mysql_query("SELECT id, name FROM ibwf_forums WHERE cid='".$cid."' AND clubid='0' ORDER BY position, id, name"); 

    while($forum = mysql_fetch_array($forums)) 

    { 

      if(canaccess(getuid_sid($sid), $forum[0])) 

      { 

      $notp = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ibwf_topics WHERE fid='".$forum[0]."'")); 

      $tpi = mysql_fetch_array(mysql_query("SELECT id, name FROM ibwf_topics WHERE fid='".$forum[0]."'")); 

      $nops = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ibwf_topics WHERE tid='".$tpi0]."'")); 

      if($nops[0]==0) 

      { 

      $pinfo = mysql_fetch_array(mysql_query("SELECT authorid FROM ibwf_topics WHERE id='".$tpi[0]."'")); 

      }else{ 

      $pinfo = mysql_fetch_array(mysql_query("SELECT uid FROM ibwf_posts WHERE tid='".$tpi[0]."'")); 

      } 

    echo "<tr> 

    <td valign=\"middle\" width=\"25\">&nbsp;<img src=\"images/1.gif\" alt=\"*\"/></td> 

    <td align=\"left\" width=\"200\" class=\"sjena\">&nbsp;<a href=\"index.php?action=viewfrm&amp;sid=$sid&amp;fid=$forum[0]\">$forum[1]</a></td> 

    <td width=\"50\" align=\"center\" class=\"sjena\">$notp[0]</td> 

    <td width=\"60\" align=\"center\" class=\"sjena\">$nops[0]</td> 

    <td align=\"right\" class=\"style12\"> 

    <a href=\"index.php?action=viewtpc&amp;sid=$sid&amp;tid=$lpt[1]&amp;go=last\">".htmlspecialchars($tpi[1])."</a> &nbsp;<br/> 

    od: <a href=\"index.php?action=viewuser&amp;sid=$sid&amp;who=$pinfo[0]\">".getnick_uid($pinfo[0])."</a> &nbsp;</td>

Lavalair Mods...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment