PHP :: XSS Related Attack.

Attack System
What I am trying to do is make a basic attack system i already have parts of it done I just need help figuring out how to do a few specific things.

Problem #1
I have three tables in my mysql databse. one keeps track of the users and thier stats, one keeps tracks of characters and thier stats, and the third is the battle table to store info for the battle and then for recall later.
What I want to do is as an admin pick out the two users from dropdown menus
then pick the two characters they are playing as from dropdown menus
then I want to combine the two stats together from the different tables and put them into the battle table

(like so)
player1_attack(battle table) = users_attack(picked from dropdown) + characters_attack(picked from dropdown)

Is This Attack Harmless Or Harmful?
Some jerk wrote a robot to attack one of my contact forms. Once a day,
it hits my form about 10 times in a couple of seconds. It adds email
header info into a textarea box as printed below:

Content-Type: multipart/mixed; boundary="===============0845246937=="
MIME-Version: 1.0
Subject: a7a679bf
To: oanhpiuxh@mydomain.com
bcc: spamaddress@aol.com
From: oanhpiuxh@mydomain.com

This is a multi-part message in MIME format.

--===============0845246937==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

npvtr
--===============0845246937==--

I tried manually entering this into the field and substituting my own
address. It didn't seem to generate an email to me.

I'm using PHP4's mail() function to add $_POST[] contents to the
message body, so this never does make it into the header section.
However, since I really don't want my domains to come up on some
"frequent spammers" list, I'd like to be certain.

Am I in trouble here?

Related Items
I noticed a lot of websites show "Related Items" on each product page. I want to know how usually do you implement it. Should I add a field in the mysql table to hold the "Related Items" information? What's the best solution?

Rand() Related
I do not know how to perform a probability check.

This is indirectly related to PHP.

I would like generating a rand ID using rand() and a combo of letters and number. To keep it simple I wish to only use 6 chars So the question is:

What is the probability that out of 100k such rand IDs a duplicate could be generated?

I could indeed match it VS previously DB stored but if the frequency of possible duplication is somehow great then it becomes detrimental and I need finding a way with less duplication potentiality....

Related Search
how do I do a search related results? I mean, just briefly which function I need.

Related Table Problems
I know there is a "easy" way to do this but Im stumped and I hope you can help. I have 2 tables in mySQL. Table one is pages, table two is bb. Pages has a field in it call bb_id. I want to be able to show the corresponding row from bb with the appropriate page_id. For some reason it will dispaly the data from the last row from the bb table.

I've looked into joining them but Im new to PHP and had no success. Could someone explain how I'm supposed to these relate two tables?

Query Related To Ebay Php API 's
I am using Sandbox EBay Php API's....

I want to check Seller's login is correct or not ....

Should Sandbox tech. supports this ?

Also following error is occured while retriving the
"Seller's list" :

Fatal error: Class 'XsltProcessor' not found in C:Program FilesApache
GroupApache2htdocsebaySellerGetSellerList.php on line 37...........

Md5 Prob - Display Related
I have set up a basic user registration form on my site URL and all the info ins successfully transferred to the MySQL database.

The problem is that after a user has submitted his info a confirmation page loads URL telling the user their username and password. The thing is it displays the md5, i.e. the encryted password. Is there an alternative to md5 that will also add an encytped password to the db or is there a reverse operation I can run on the md5?

I have only been learning for the past few days so go easy. Below is the 'submitform.php' php code I use. PHP Code:

Mysql Related Question
just wondering:

I have a database, containing the following fields:

name
address
zip
email

and a template for my page, containing the following tags:

[[name]] [[address]] [[zip]] [[email]]

Would there be a quick way to replace those tags with the data read from the
database without doing this:

$line=mysql_get_row($res) ; // provided we already have connection and data
selected
$html_to_show=preg_replace("/[[name]]/",$line[0],$html_to_show);
$html_to_show=preg_replace("/[[address]]/",$line[1],$html_to_show);
$html_to_show=preg_replace("/[[zip]]/",$line[2],$html_to_show);
$html_to_show=preg_replace("/[[email]]/",$line[3],$html_to_show);

(never mind the preg here or any typo's. this is a quick question)

Reason for me to ask, though code above works:
I need to create something dynamic. I would like to scan and replace every
instance in my template, looking like a tag ( [[some_tag_name]] ) by
the value of it's corresponding fieldname from my table.
I am really wondering how, but there's got to be an easier way to do this.
Currently I have 61 fields in one table and that kinda works towards RSI if
I have to code it all like this.

Problem Related To OCILogon ()
My objective is to try to connect to the oracle database and if an
error occurs go to another page. The code follows

$conn = OCILogon($user,$passwd,$db); // <---- Line 34

if (!$conn) {
$err = OCIError();
header("Location: dbproblem.php?error=$err[text]");
}

The problem is, whenever the OCILogon() fails, I'm not able to
redirect to dbproblem.php because OCILogon has already sent the error
message to the client, thus resulting in the following message

Warning: Cannot modify header information - headers already sent by
(output started at /path/to/validate.php:34)

Is there anyway that I can stop OCILogon() from sending the error?

|FAQ| Zip Code Related Questions
Q: How to find the distance between two zip codes/cities?
Q: How to find list of cities/zip codes that are with in the particular
radius from given city/zip code?

A: In spherical trigonometry, we have haversine formula, which provides
relationship between the radius of the sphere and any two points on the
sphere (longitude and latitude of the points). So, if we take the earth
as a sphere and have longitude and latitude of any two cities, we can
find the distance approximately.

Developed countries like U.S. have census data that contains the zip
code, longitude and latitude of a particular city (along with
population data); this in turn helped a lot to find the distance
between any two cities or any two zip codes using the database. Not to
mention, even many commercial zip code databases are available for that
purpose.

Once we have the Zip code database, it's merely a calculation over the
data.

Session Related Problem
i am facing a serious problem while trying to make my site live which contains PHP pages. The pages which is working perfectly fine in localhost and intranet is not working when i put it in live. database connection also correct as i can able to display information on the page from it. Main problem in my search page and login pages. When i search i won't get anything even when data is there.No error also. My insert scripts also not working. Also i am not able to login with a username and password .Important thing to be noted is that everything is working fine in localhost and intranet. Code:

Time Related Script
I'm thinking of making a script that will rotate banners every hour.

The way I see it is:

get time;
if first number (hour)is positive ie. -->12:00
banner one
else
banner two....

IIS/Apache Related Problem
My development environment is XP/IIS and the destination system is
Unix/Apache

Should I expect to have any problems and what?

PHP's Configure (GD Related)
I'm trying to compile PHP 4.3.4 with support of GD (including zlib, jpeg,
png, freetype2, t1). I've compiled all the required libraries and they're
all sitting in /usr/local/lib, which can be confirmed by running
ldconfig -v.

Now I have a problem of figuring out which configure options to use.

For example, for freetype the following options are available:
--with-freetype2
--with-ttf
(there is also --enable-freetype-4bit-antialias-hack, but it's experimental
and prolly not necessary or is it? )

Similarly for zlib:
--with-zlib-dir
--with-zlib

What options am I to use for compiling the components mentioned above?

Bad Php Behaviour With Related Paths
I'm trying to include some files in an included file. Think of some scripts
like this

/index.php
/scripts/logging.php
/scripts/config.php
/scripts/db_access.php

index.php includes 'scripts/logging.php' and logging.php includes
'config.php' ºi 'db_access.php'.

My problem is that from within logging.php the php will try to include the
file '/config.php' and not '/scripts/config.php' because logging.php is
included in '/index.php' in the first place.

I would use absolute paths in the included file names, built with
$_SERVER['DOCUMENT_ROOT'], but I don't really know where my pages are on
the web server. I just know they are somewhere under DocumentRoot.

How can I write pages that can translate local paths to virtual paths and
that can be moved from one place to another in the virtual directory
hierarhy and still function corectly ?

How can I write pages that know about each other's URI's and that do not
care where they are placed on the webserver with respect to DocumentRoot ?

CURL - Form Related
I want a page which I can host where users fill in a form and the same data is sent to a form hosted remotely. I then want it to simpy display another page that I'm hosting.

So not like:

form fill--->> ends up going to there site
form fill--->> submits data to that form>>back at my site.

The form on there site looks like:

Upload Problems Related To PHP.ini Variables
I am using a web host and I dont have access to the php.ini file. My site allows users to upload 10 MB files via php. Their php.ini file was set at the 2 MB minimum upload maxfilesize, and they just switched it to 16 MB. Now i can upload files around 4 MB, But when i try to upload 6MB files i get this message:

Warning: Unable to open '/var/tmp/phpKI0kJ4' for reading: No such file or directory in /mnt/web_a/d20/s26/b01b6e87/www/addfile.php on line 240
upload failed!

Could this be because the max_execution_time is still only set to 30 in php.ini
I know the script works, so i think the problem is in php.ini

Preg_replace_callback() Is Segfaulting In 4.4.4, Length Related?
I'm having a problem where I changed hosts, went from php 4.1.2 to php
4.4.4, and now preg_replace_callback() is segfaulting when I pass it html
that is longer than 2732 bytes. This code has worked for a long time on a
different server.

Basically, I am reading an html page template into a variable with fread().

I then am doing this, which is code taken from a user example on the eval()
php manual page, which I have used successfully for quite awhile:

What it does is evaluate mixed html and php code, and output to browser. You
call it like:

eval_mixed($string);

function eval_mixed_helper($arr){
return ("echo stripslashes("".addslashes($arr[1])."");");
}

function eval_mixed($string){

$string = "<? ?>".$string."<? ?>";
$string = preg_replace("/<?=s+(.*?)s+?>/", "<? echo $1; ?>",
$string);
$string = str_replace('?>', '', str_replace( array('<?php', '<?'),
'', preg_replace_callback( "/?>((.|
)*?)<?(php)?/", "eval_mixed_helper",
$string) ) );

return eval($string);
}

If the template that I read into $string is 2732 or less bytes, it works
like it always did. If it is 2733 or greater bytes, it segment faults.

I found this report in the bug database, but it's really old. It sounds like
the same thing, though:

http://bugs.php.net/bug.php?id=25754
Bug*#25754 preg_replace() and preg_replace_callback() crash with long
matches

Anybody know anything about this?

Again, it worked fine on the older php on a different server.
I don't really know what to do to proceed with this, it's a bit out of my
league.

PLEASE HELP - Drop Down List Related Question
I am creating a dynamic dropdown
list using a code snippet(Section A) as below:
Section A:
$sql_query=mysql_query("SELECT DISTINCT semester, year from
schoolproject_pics ORDER BY year
DESC");
echo "<select name="semester" onchange="GoTo()">";
echo "<option value="$semester">-Semester Year-</option>";
while($data = mysql_fetch_array($sql_query)){
if($data[semester]==@$semester && $data[year]==@$year){
echo "<option value
selected="$data[semester]">$data[semester]:$data[year]</option><BR>";
}
echo "<option
value="$data[semester]">$data[semester]:$data[year]</option>"; }
echo "</select>";
mysql_free_result($sql_query);

The 'GoTo()' Javascript re-draws the same page with the chosen values
of 'semester' and 'year' so that
the values can be recovered by $_HTTP_GET_VARS, stored in two hidden
variables and then used in
another query to create another dynamic drop-down list, as in code
snippet (Section B).

$semesternow=$HTTP_GET_VARS['semester'];
$yearnow=$HTTP_GET_VARS['year'];
if((isset($semesternow) and strlen($semesternow) 0) and
(isset($yearnow) and strlen($yearnow) 0)){
print("<input type="hidden" ID="semesterchosen"
value="$semesternow">");
print("<input type="hidden" ID="yearchosen"
value="$yearnow">");
$sql_query2=mysql_query("SELECT DISTINCT school from
schoolproject_pics
WHERE semester='$semesternow' AND
year='$yearnow'");
echo "<select name="school" onchange="GoMore()">";
echo "<option value="$school">-- School --</option>";
while(list($school) = mysql_fetch_array($sql_query2)){
echo "<option value="$school">$school</option>";
}
echo "</select>";
mysql_free_result($sql_query2);

Now the question:
When the page is re-drawn, how can the values of semester and year
previously chosen, be displayed in the first drop down list. I tried to
do it using the following, but it does not do anything:

f($data[semester]==@$semester && $data[year]==@$year){
echo "<option value
selected="$data[semester]">$data[semester]:$data[year]</option><BR>";
}

Multiple Field Login And A Related Question
I'm looking for an example of a login system that has multiple fields
(2 to be exact) + password. e.g username, company name and password,
the user, company and password are checked against a mysql database. I
have it working with just the username field but I'm confused on how
to go about adding another field. I'm pretty new to PHP so don't beat
me up too much for this example code, I borrowed and hacked it
together in a very short period of time.

Code:

<?php
include 'db.php'
//Checks if there is a login cookie

if(isset($_COOKIE['ID_user']))

//if there is, it logs you in and directs you to the members page
//shopname is used to select the correct database
{
$shopname = $_COOKIE['ID_fitsheetshop'];
$username = $_COOKIE['ID_fitsheetuser'];
$pass = $_COOKIE['Key_fitsheet'];

$checkuser = mysql_query("SELECT * FROM users WHERE username =
'$username'")or die(mysql_error());
$checkshop = mysql_query("SELECT * FROM users WHERE shopname =
'$shopname'")or die(mysql_error());
while($info = mysql_fetch_array($checkuser))
{

if ($pass != $info['password'])
{
die('something is wrong');
}

else
{
header("Location: members.php");
}

}

while($info = mysql_fetch_array($checkshop))
{

if ($pass != $info['password'])
{
die('something is wrong');
}

else
{
header("Location: members.php");

}

Problem Related To Search For Arabic Meta Tags
I have special problem in using Meta tags searching, I have succeed to use
attached php page to make perfect Meta tags searching trough any site pages, but the problem raises when I try to use the same php code to search Arabic meta tags, I totally failed to fix this problem, no result was generated for Arab tags.

Problem Related To Search For Arabic Meta Tags
php-problem related to search for arabic meta tags

I have special problem in using Meta tags searching, I have succeed to use
attached php page to make perfect Meta tags searching trough any site pages, but the problem raise when I try to use the same php code to search Arabic meta tags, I totally failed to fix this problem, no result was generated for Arab tags.

Anybody Know A Script Or Method To Achieve This? (authentication/access Related)
I have been trying to find some kind of authentication method or
script (PHP/perl/javascript or other) to achieve the following, with
no luck.

Say there are 100 files at a site. A person can choose which file to
download from a list, and to do so has to enter a code or password.
When a valid code or password is used they are redirected to a page
with a direct link to download the file.

Once that code or password has been used to download that one file
(and the same code/password can be used to access any one of the 100
files), it is then expired/deleted/made invalid and can't be used
again to download any other file.

Does anybody know a method or script somewhere that can do this?

Locally Works/remotely Breaks? (Oracle Related?)
I'm diving into this crazy PHP thing, and I find myself a bit stuck.
Locally I can get a site to work very well. However, whenever I ask a
buddy of mine to test the site and I give him my IP it doesn't work.

I have a form. The form checks username/password against a database and
then either sends you back to the form or forwards you to the next
page. Is:

header("Location: http://localhost/nextpage.php");

the proper form of redirection?

The issue on the not at my computer logins is in this redirect. I'm not
sure what I need to send, but I was getting connection errors in the
beginning which aren't showing up anymore. Then I was getting
unreferenced index errors, but I put all the variables in a session and
that seems to work now. And now I'm stumped because I'm not getting
errors in the log.