Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Top Posters
Who's Online (0)
Powered by Vanilla.
Made with Bootstrap.
Need a little help with sourcex update
-
So basically i have found something that could be used as malicious to my site, i have found that people can just submit any image with any link so i was wondering how can i edit this code so it block's certain website links
$submit = strip_tags($_POST['submit']);
$url = htmlentities(strip_tags($_POST['url']));
$img = htmlentities(strip_tags($_POST['img']));
if ($submit)
{
if ($img&&$url)
{
//open database
$connect = mysql_connect('host', 'user', 'pass');
mysql_select_db('database');
mysql_query(\"
echo \"<em>Banner Added, We hope you get large amounts of traffic.<br><br><img src=\".$img.\" width='125' height='125' ></em>\";
}else {
echo \"Please fill all field's Correctly.\";
}
}
I would like to edit it so that if the link contains virus/porn etc it to echo Invalid or Malicous Link. I thought that it could stor a whole list of bad links in an array and check through to see but i dont know how to do that.
Any help.
P.S Iv hidden My SQL querySkype: mrpt3oTwitter: MrPteo
-
So the problem is that you don't know how to construct and use arrays?
If that's the problem, you can construct the array simply by$checkValid = (\"xxx\",\"porn\",\"sex\",\"horny\",\"virus\",\"trojan\");
And then check the url with$valid=true;
foreach($checkValid as $id) {
if(strpos($url,$id))
$valid=false;
}
if($valid)
//MySQL query
else
echo \"Invalid Link!\";
I hope that answers your question.
But I think for more thorough filtering this won't be enough. You should check the extention of the files uploaded, and also check the validity of the files. (So that a jpg file with php content can't be uploaded). -
You need to do file type checks - for instance www.test.com/pic.php clearly isn't a pic whereas www.test.com/pic.jpg is.
Below is a example of something you might want to look at. This is really file checking and input sanitization... everyone really needs to learn it.
http://www.hotscripts.com/forums/php/79 ... check.html
also just a hint to make your life a shit tonne easier in the long term...$connect = mysql_connect('host', 'user', 'pass');
Get rid of that and replace it with://Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die(\"Unable to select database\");
}
Now create a new file with the login info.<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'pteo');
define('DB_PASSWORD', 'password1');
define('DB_DATABASE', 'database1');
?>
then in the document you're working in add the following in your php code before mysql_connectrequire_once('config.php');
config.php being the file with your mysql login info. Do this for every file that has your login info for MySQL.
Whats the upside?
It means you have all your login info in ONE place instead of in every php document in the mysql_connect. It also means that when editing shit or changing your mysql passwords you only have to do it once... whereas with your login info in all your php file you'll have to spend a long time changing a lot of files. It's one of my suggestions, someones bound to disagree but hey...
Also if your upload page is causing problems of the sort that could see your site offline it may be worth taking the upload page down and uploading a page saying error. I've not checked but thought i'd mention it.
