Messages

[or die]

The @ isn't usually necessary, it's just used to tell mysql not to report any errors. It's used when you know there can be an error occuring, but you know that error isn't important for the rest of your code and you still want your code to run the rest of the way.

Another reason to do that is if you want to do custom error reporting, like so:

Code Select Expand

<?php
$query = @mysql_query('SELECT * FROM table');
if ($query) {
echo 'query successful';
} else {
echo 'query unsuccessful';
}
// If you only want to output a message on failure, you could do something like this:
$query = @mysql_query('SELECT * FROM table') OR echo 'query unsuccessful';
?>
Naturally, you could always replace the echo with something else.  (exit(), mysql_error(), etc.)

or die works too.  I use or die(mysql_error())

It should not erase the file.

Please provide an example filename/URL.

Be sure you do not have another file with the same name.

Thank you,
FreePgs.com Admin

Turns out I'm just an idiot. I was opening the file with fopen() before and I accidentlay wrote over it. The file was curropt to begin with I just thought it was rename. It works now, sorry.

I used rename() to rename a PNG file... and it did change the name. It also erases eveything, the file is 0 bytes. HOW can you rename something without delting it!??!?!??!

Just a couple notes on this topic.
You should always allow people to view the image if they don't send any referer header at all, because some browsers don't.  (or if they just typed the URL in, it wouldn't send a referer header).
On top of that, you should always let people with google as a referer view images, because you really don't want to alienate visitors coming from the largest search engine ever, do you?

YEah I see what you mean. I still like my idea, as slow moving as it would be. It woul dwork great with a gallery where you only have to update 1 name at a time.

it is technically supposed to work. however, i must log off so I can't check this tonight. I'll check that out tomorrow, unless someone else finds an answer quicker than me.

What it ended up doing was blocking most sites but instead of allowing ONLY neopets.com/whatever it let the whole neopets.com access the files. I guess directories don't work.

what did you try exactly?

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^(http://(www\.)?petpages.neopets.com/~jynnxx(/.*)?)?$ [NC]
RewriteCond %{HTTP_REFERER} !^(http://(www\.)?petpages.neopets.com/~___nevermore(/.*)?)?$ [NC]

RewriteRule \.(gif|jpg|png|wav|mp3|mid)$ / [F,L]

@infinity
I just made some checks using wget and your website effectively blocks .gif .jpg and .png requests from any referer other than your own website.

@sixthcrusifix
I have not tested it, but you might try to add a RewriteCond line for each of your hosts like :
RewriteCond %{HTTP_REFERER} !^(http://(www\.)?enviroeeil.yi.org(/.*)?)?$ [NC]
RewriteCond %{HTTP_REFERER} !^(http://(.*\.)?google.com(/.*)?)?$ [NC]
RewriteCond %{HTTP_REFERER} !^(http://(www\.)?freepgs.com/webzone(/.*)?)?$ [NC]

If you try it, could you just leave a note here to tell me if it works?

blahblah.com/sixthcrusifix
to be able to hotlink, but not anyone else from blahblah.com

Then, simply put blahblah.com/sixthcrusifix as an allowed site. If you do not explicitly allow blahblah.com, then it will be blocked.

Didn't work for me. It let me link to a jpeg from my site even though I didn't include the site I linked from. Was there any othe rcode supposed to be in there??

surprising... this code :

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^(http://(www\.)?enviroeeil.yi.org(/.*)?)?$ [NC]
RewriteRule \.(gif|jpg|png)$ / [F,L]

allowed me to block hotlinking on my website when I tested it a few minutes ago.
obviously, i changed the address to match the one of my website, but it prooves that it works

Could you use that to allow Certain Sites to hotlink? Like if I had 2 or 3 I wanted to be able to hotlink from me but not everyone?

ALSO, If you wanted

blahblah.com/sixthcrusifix
to be able to hotlink, but not anyone else from blahblah.com

Could you do that too?

I think your best bet is to design a script that renames and accesses files constantly. It might be inconvenient and slow, but if you make a page that links to an image folder, you could crate random numbers, and have the script rename the files based on the numbers, and then set variables. The variables would be echoed into the html content for the filename of the image. the names would actually physically change every time you visite dthe page and hotlinking would be impossible because the urls would  be wrong. You'd have to store the latest names in a database so that you could get to them each time to change there name and resave the new name.

It ends up being very messy and probably would load very slowly, but NOTHING could get through it, hotlinking would be impossible by any means. (Unless nobody ever visited your page and made the filenames change. . . le's hope that's never the case though. )


I have another theory of image embedding. What if CSS could plot a single pixil on the screen and it's color? You could make a program that takes images and re-writes them in css plotting. then you'ld just link to the CSS page or stick the css in and you'd have your image. It would be impossible to copy because it wouldn't be a real image. You'd have to do printscreen. My plan failed when I realized that a simple 800x600 image would have TONS of code. Filesizes would actually be bigger than normal images . . but you'd never have to upload mages again! you could just "write" them!

And people couldn't hotlink to them because there would be nothing to link to. The negative is that they could view your pages source and copy the code. I'm working out the kinks but I think pseudo-images are the © protectant of the future.

My third idea is Still Video. Most computers can't use prinscreen to copy certain video filetypes (Just go to launch.com and try to use printscreen during a video, you just get a black space) So we should create a filetype that loads the image as that type of video, that constantly loops its 1 frame infinitly. It couldn't be linked to if it was embedded right, like a Real Player RAM file, it couldn't be copy/pasted or printscreened either....

webzone: Most likely, I think I printed the article out a year ago, so I don't remember. That page is word-for-word what I have posted.

sixthcrusifix: You never know what kind of idiots you'll have on your site. You wouldn't want stuff like email addresses being exposed to the public, now would you?

Guess not... that's why "you agree that It's not my fault" Is repeated in 72 different ways in my TOS. XD

[SQL Injection]

Oh no! You made me get out the "Writing Secure PHP" article I printed out. Since I don't remember the URL, I'll type it here:

SQL Injection

One of PHP's greatest strengths is the ease with which it can communicate with databases, most notable MySQL. Many people make extensive use of this, and a great many sites, including this one, rely on databases to function.

However, as you would expect, with that much power there are potentially huge security problems you can face. Fortunately, there are plenty of solutions. The most common security hazard faced when interacting with a database is that of SQL Injection - when a user uses a security glitch to run SQL queries on your database.

Let's use a common example. Many login systems feature a line that looks a lot like this when checking the username and password entered into a form by a user against a database of valid username and password combinations, for example to control access to an administration area:

$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username'].'" and Password = '".$_POST['password']."'");
Look familiar? It may well do. And on the face of it, the above does not look like it could do much damage. But let's say for a moment that I enter the following into the "username' input box in the form and submit it:

' OR 1=1 #
The query that is going to be executed will now look like this:

SELECT Username, Password FROM Users WHERE Username = '' OR 1=1#' and Password = ''
The hash symbol (#) tells MySQL that everything following it is a commend and to ignore it. So it will actually only execute the SQL up to that point. As 1 always equals 1, the SQL will return all of the usernames and passwords from the database. And as the first usename and password combination in most user login database is the admin user, the person who simply entered a few symbols in a username box is now logged in as your website administrator, with the same powers they would have if they actually knew the username and password.

With a little creativity, the above can be exploited further, allowing a user to create their own login account, read credit card numbers or even wipe a database clean.

Fortunately, this type of vulnerability is easy enough to work around. By checking for apostrophes in the items we enter into the database, and removing or neutralising them, we can prevent anyone from running their own SQL code on our database. The function below would do the trick:

function make_safe($variable) {
  $variable = addslashes(trim($variable));
  return $variable;
}
Now to modify our query. Instead of using _POST variables as int he query above, we now run all user data through the make_safe function, resulting in the following code:

$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$username."' and Password = '".$password."'");
Now, if a user entered the malicious data above, the query will look like the following, which is perfectly harmless, The following query will select from a database where the username is equal to "\'OR 1=1 #".

SELECT Username, Password, UserLevel FROM Users WHERE Username ='\' OR 1=1 #' and Password = ''
Now, unless you happen to have a user with a very unusual username and a blank password, your malicious attacker will not be able to do any damage at all. It is important to check all data passed to your database like this, however secure you think it is. HTTP Headers sent from the user can be faked. Their referral address can be faked. Their browsers User Agent string can be faked. Do not trust a single piece of data sent by the user, though, and you will be fine.

From an article titled "Writing Secure PHP", July 16, 2004 from an unknown source. If anyone knows the source, PM me and I'll post it here. :-)

Cool I'll probably use it. Although I don't see anybody caring enough to see what' in my databases. If I did I would have rememberd to erase my password when I posted the code . . . . . oops...

$rs = @mysql_select_db("MAIN",$conn) or die("Sorry Login Failed 1.2");

$sql="select * from userbase where username=\"$username\" and password=\"$password\"";


change to ::

$rs = @mysql_select_db(DATA,$conn) or die("Sorry Login Failed 1.2");

$sql="select * from userbase where username='$username' and password='$password'";


oh.. you figured it out too. geeze I'm a dumby.

(I'm not completely sure about that first line but try it anyways.)

[Table 'MAIN.userbase' doesn't exist]

And now back to breaking my own stuff, if you have anymore questions just post again.. I should be here for awhile longer.

look at this, it's working on one page and not the other!?!??!

Code Select Expand


<?php
if( (!$username) or (!$password) )
{
header("Location:$HTTP_REFERER") ; exit();
}


$conn = @mysql_connect("localhost","sixthcrusifix","") or die("Sorry Login Failed 1.1");

$rs = @mysql_select_db("MAIN",$conn) or die("Sorry Login Failed 1.2");

$sql="select * from userbase where username=\"$username\" and password=\"$password\"";

$rs=mysql_query($sql,$conn) or die(mysql_error());

$num = mysql_numrows($rs);

$SQL2="SELECT type
FROM `userbase`
WHERE username = '$username'";

$query2=mysql_query($SQL2,$conn)or die("SECOND QUERY FAILED");
$result2=mysql_fetch_object($query2);

$QWiuwq08wqjwqQW0_S=$result2->type;

if( ($num != 0) && ($QWiuwq08wqjwqQW0_S !="user") )
{
$msg = "Welcom $username - You were succesfully logged in!, TYPE: $QWiuwq08wqjwqQW0_S ";
session_start();
session_register("logged");
$logged = 1;
setcookie("user", $username, time()+2592000);
$user=$username;
}
else
{ 
if ($QWiuwq08wqjwqQW0_S="user")
{echo("YOU ARE NOT AN ADMINISTRATOR! Your Username has been sent to the administrater and you have been logged for trying to log into the admin CP!");}

$msg = "Sorry your username or password was incorrect! <a href=\"login.php\">Retry?</a>";
}
?>


<html>
<head><title>Log In to The Final Destiny!</title></head>
<body>




<body bgcolor="000000">
<div align="center"><img src="http://freepgs.com/sixthcrusifix/HEAD.jpg"></div>
<table width="500" overflow="480" align="left"

BACKGROUND="http://freepgs.com/sixthcrusifix/MAIN/images/Template/BG_

MAIN.gif" cellspacing="0" cellpadding="0">
<div align="center"><tr>
<td><img

src="http://freepgs.com/sixthcrusifix/MAIN/images/Template/TOP_MAIN.gif">

</tr></td>

</tr>
<td><img

src="http://freepgs.com/sixthcrusifix/MAIN/images/Template/TD_TOP.gif"></t

r></td>

<tr>
<td  width="468"

BACKGROUND="http://freepgs.com/sixthcrusifix/MAIN/images/Template/TD_

BG.gif">
<font size="4"><font color="ffffff"><div align="center">
<?php echo($msg); ?>
</font></font></div>
</tr></td>

</tr>
<td><img

src="http://freepgs.com/sixthcrusifix/MAIN/images/Template/TD_BOTTOM.gif

"></tr></td>
<br>
</tr>

<tr>
<td><img

src="http://freepgs.com/sixthcrusifix/MAIN/images/Template/BOTTOM_MAIN.

gif" name="test"></tr></td>
</div>
</table>




it works on its page in my main directory but not in the new folder I put it in!

this is the error message:


Table 'MAIN.userbase' doesn't exist


NVM I'm an idiot. There really is no database named MAIN. . . I renamed it to "DATA" LOLL

Just wondering what you are making this in? Your code is very colourful lol.. (compared to notepad anyways)

That's just how it looks when you put it in the code tag on the forum.


NOT ONLY does it work perfectly but I added encryption so that I don't have to chang the login script. The new passwords are sent to the database encrypted and given to the user unencrypted. And I logged in and it works.

Before when you lost your password the new password was just sent to the database. But that would cause problems now because the login form used md5 and it would end up not matching. So yes, I don't know what I was thinking not encrypting them.
And thats how it should be lol.. not sure what you would want with un-encrypted passwords in the database. (Although mine has both.. lol)

Just wondering what you are making this in? Your code is very colourful lol.. (compared to notepad anyways)

That's just how it looks when you put it in the code tag on the forum.


NOT ONLY does it work perfectly but I added encryption so that I don't have to chang the login script. The new passwords are sent to the database encrypted and given to the user unencrypted. And I logged in and it works.