Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Oct 2008
    Posts
    20
    Thanks
    0
    Thanked 0 Times in 0 Posts

    PHP injection of HTML code

    I am running an image upload service, but I constantly fall a victim of PHP Injection of HTML code. The code appears below my end ?> in the index.php file.

    I am checking if it is a image that is being uploaded using "getimagesize" however I read somewhere that this injection can happen when HTML is wrapped around php on the site. Or in include statements.... The injection only happens on index.php

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Can you post your upload script and index.php please?
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    New Coder
    Join Date
    Oct 2008
    Posts
    20
    Thanks
    0
    Thanked 0 Times in 0 Posts
    sorry here you go:
    the code is wrapped around some basic HTML code...
    PHP Code:
    <?
    require 'config.php';
    ?>
    <?
    if(isset($_GET['billede'])){
    $img $_GET['billede'];
    $escapeChars[0]=array('<''>');
    $escapeChars[1]=array("&lt;""&gt;");
    $img=str_replace($escapeChars[0], 
    $escapeChars[1], $_GET["billede"]);
    if(!
    file_exists("$img")){
    include(
    "er1.html");
    }
    else{
    include(
    "comp.php");
    }
    }else{
    if(isset(
    $_POST['upload'])) {
    $uploaddir "$graffol";
    $maxfilesize $rozmiar_bt;
    $filename strtolower($filename);
    $filename preg_replace"#[^a-zA-Z0-9\"'.,!]#"""$filename);
    $filetmpname $_FILES['file']['tmp_name'];
    @
    getimagesize($_FILES['file']['tmp_name']) or die(include("er3.html"));

    if(
    $filename) {
    $error 0;
    if((
    $filesize $maxfilesize) || ($filesize == 0)){
    $error 1;
    include(
    "er2.html");
    }
    else {
    $time time(); 
    $filename_new $time.$filename
    $upload move_uploaded_file($filetmpname"$dir");
    if(
    $upload) {
    echo 
    "<meta http-equiv='refresh' content='2; URL=?billede=$dir' />";
    include(
    "load.html");
    }
    else {
    include(
    "er3.html");
    }
    }
    }
    else{
    ?>
    Last edited by bigrasmusdk; 12-09-2008 at 09:57 PM.

  • #4
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    I would start by sanitizing all of your inputs, including any hidden input fields.

    http://www.php.net/function.mysql-real-escape-string

  • #5
    New Coder
    Join Date
    Oct 2008
    Posts
    20
    Thanks
    0
    Thanked 0 Times in 0 Posts
    any case anyone wanted to know this is a snippet of the random code that is added...
    Code:
    <u style=display:none><a href="http://www.sanhusarang.com/flash/r/crossfade-cold-acoustic.html">crossfade cold acoustic</a><a href="http://www.sanhusarang.com/flash/r/how-to-refill-butane-lighter.html">how to refill butane lighter</a><a href="http://www.sanhusarang.com/flash/r/farting-elves.html">farting elves</a><a href="http://www.sanhusarang.com/flash/r/weird-al-yankovitch.html">weird al yankovitch</a><a href="http://www.sanhusarang.com/flash/r/automatismi-tende-da-sole.html">automatismi tende da sole</a><a href="http://www.sanhusarang.com/flash/r/ivana-humpalot.html">ivana humpalot</a><a href="http://www.sanhusarang.com/flash/r/badd-*****.html">badd *****</a><a href="http://www.sanhusarang.com/flash/r/545x39-ammo.html">5.45x39 ammo</a><a href="http://www.sanhusarang.com/flash/r/diy-soundproofing.html">diy soundproofing</a><a href="http://www.sanhusarang.com/flash/r/spred-legs.html">spred legs</a><a href="http://www.sanhusarang.com/flash/r/busted-air-hostess.html">busted air hostess</a><a href="http://www.sanhusarang.com/flash/r/barbera-twins.html">barbera twins</a><a href="http://www.sanhusarang.com/flash/r/couples-suduce-teens.html">couples suduce teens</a><a href="http://www.sanhusarang.com/flash/r/hellespont-fairfax.html">hellespont fairfax</a><a href="http://www.sanhusarang.com/flash/r/sebimoto.html">sebimoto</a><a href="http://www.sanhusarang.com/flash/r/lake-havasu-sandbar.html">lake havasu sandbar</a><a href="http://www.sanhusarang.com/flash/r/matt-mccolm.html">matt mccolm</a><a href="http://www.sanhusarang.com/flash/r/femer.html">femer</a><a href="http://www.sanhusarang.com/flash/r/everlast-white-trash-beautiful.html">everlast white trash beautiful</a><a href="http://www.sanhusarang.com/flash/r/zz-top-cheap-sun-glasses.html">zz top cheap sun glasses</a><a href="http://www.sanhusarang.com/flash/r/tanya-ballinger.html">tanya ballinger</a><a href="http://www.sanhusarang.com/flash/r/spinner-dominoes.html">spinner dominoes</a><a href="http://www.sanhusarang.com/flash/r/intelecast.html">intelecast</a><a href="http://www.sanhusarang.com/flash/r/spiralina.html">spiralina</a><a href="http://www.sanhusarang.com/flash/r/son-of-a-preacherman.html">son of a preacherman</a><a href="http://www.sanhusarang.com/flash/r/desparado.html">desparado</a><a href="http://www.sanhusarang.com/flash/r/oomphies.html">oomphies</a><a href="http://www.sanhusarang.com/flash/r/basketball-playbooks.html">basketball playbooks</a><a href="http://www.sanhusarang.com/flash/r/jamie-presely.html">jamie presely</a><a href="http://www.sanhusarang.com/flash/r/nina-heartly.html">nina heartly</a><a href="http://www.sanhusarang.com/flash/r/roxanne-pallet.html">roxanne pallet</a><a href="http://www.sanhusarang.com/flash/r/buthole.html">buthole</a><a href="http://www.sanhusarang.com/flash/r/horntail.html">horntail</a><a href="http://www.sanhusarang.com/flash/r/rafael-palmiero.html">rafael palmiero</a><a href="http://www.sanhusarang.com/flash/r/halvah-recipe.html">halvah recipe</a><a href="http://www.sanhusarang.com/flash/r/bett-midler.html">bett midler</a><a href="http://www.sanhusarang.com/flash/r/laffey-taffey.html">laffey taffey</a><a href="http://www.sanhusarang.com/flash/r/emminent-domain.html">emminent domain</a><a href="http://www.sanhusarang.com/flash/r/chelsea-mundae.html">chelsea mundae</a><a href="http://www.sanhusarang.com/flash/r/fripp-island-waterway-south-carolina-vacation-home.html">fripp island waterway south carolina vacation home</a><a href="http://www.sanhusarang.com/flash/r/claris-water-filters.html">claris water filters</a><a href="http://www.sanhusarang.com/flash/r/sitraders.html">sitraders</a><a href="http://www.sanhusarang.com/flash/r/android-18-and-krillin.html">android 18 and krillin</a><a href="http://www.sanhusarang.com/flash/r/dishydrosis.html">dishydrosis</a><a href="http://www.sanhusarang.com/flash/r/waltz-figurine.html">waltz figurine</a><a href="http://www.sanhusarang.com/flash/r/lithophane.html">lithophane</a><a href="http://www.sanhusarang.com/flash/r/seduction-of-maxine.html">seduction of maxine</a><a href="http://www.sanhusarang.com/flash/r/shedden-ontario.html">shedden ontario</a><a href="http://www.sanhusarang.com/flash/r/pezcycling.html">pezcycling</a><a href="http://www.sanhusarang.com/flash/r/megyn.html">megyn</a><a href="http://www.sanhusarang.com/flash/r/molinee-green.html">molinee green</a><a href="http://www.sanhusarang.com/flash/r/molinee.html">molinee</a><a href="http://www.sanhusarang.com/flash/r/sanatarium.html">sanatarium</a><a href="http://www.sanhusarang.com/flash/r/asheville-mountain-homesites-for-sale.html">asheville mountain homesites for sale</a><a href="http://www.sanhusarang.com/flash/r/leprachan.html">leprachan</a><a href="http://www.sanhusarang.com/flash/r/male-frottage.html">male frottage</a><a href="http://www.sanhusarang.com/flash/r/spamelot.html">spamelot</a><a href="http://www.sanhusarang.com/flash/r/mx850.html">mx850</a><a href="http://www.sanhusarang.com/flash/r/meagen-good.html">meagen good</a><a href="http://www.sanhusarang.com/flash/r/anol-sex.html">anol sex</a><a href="http://www.sanhusarang.com/flash/r/shannon-wilsey.html">shannon wilsey</a><a href="http://www.sanhusarang.com/flash/r/jaba-the-hut.html">jaba the hut</a><a href="http://www.sanhusarang.com/flash/r/lamb-of-god-omerta.html">lamb of god omerta</a><a href="http://www.sanhusarang.com/flash/r/submersed-hollow.html">submersed hollow</a><a href="http://www.sanhusarang.com/flash/r/cunningless.html">cunningless</a><a href="http://www.sanhusarang.com/flash/r/porcelain-veneers-houston.html">porcelain veneers houston</a><a href="http://www.sanhusarang.com/flash/r/phqghumeexe.html">phqghume.exe</a><a href="http://www.sanhusarang.com/flash/r/turd-burglar.html">turd burglar</a><a href="http://www.sanhusarang.com/flash/r/boston-digital-ba735.html">boston digital ba735</a><a href="http://www.sanhusarang.com/flash/r/fakestarstvdeepfree.html">fakestarstv.deepfree</a><a href="http://www.sanhusarang.com/flash/r/palletizing-robot.html">palletizing robot</a><a href="http://www.sanhusarang.com/flash/r/judicial-caning.html">judicial caning</a><a href="http://www.sanhusarang.com/flash/r/gramophone-needles.html">gramophone needles</a><a href="http://www.sanhusarang.com/flash/r/charriots-of-fire.html">charriots of fire</a><a href="http://www.sanhusarang.com/flash/r/capybaras.html">capybaras</a><a href="http://www.sanhusarang.com/flash/r/cuyuna.html">cuyuna</a><a href="http://www.sanhusarang.com/flash/r/windblown-skirts.html">windblown skirts</a><a href="http://www.sanhusarang.com/flash/r/polar-ice-biome.html">polar ice biome</a><a href="http://www.sanhusarang.com/flash/r/mexican-folkloric-dance.html">mexican folkloric dance</a><a href="http://www.sanhusarang.com/flash/r/coronado-sailboat.html">coronado sailboat</a><a href="http://www.sanhusarang.com/flash/r/syncronized-swimming.html">syncronized swimming</a><a href="http://www.sanhusarang.com/flash/r/poems-by-gary-soto.html">poems by gary soto</a><a href="http://www.sanhusarang.com/flash/r/katma-tui.html">katma tui</a><a href="http://www.sanhusarang.com/flash/r/rhino-mowers.html">rhino mowers</a><a href="http://www.sanhusarang.com/flash/r/dripless-taper-candles.html">dripless taper candles</a><a href="http://www.sanhusarang.com/flash/r/nopi-swimsuit-contest.html">nopi swimsuit contest</a><a href="http://www.sanhusarang.com/flash/r/saltwater-biomes.html">saltwater biomes</a><a href="http://www.sanhusarang.com/flash/r/centerpointenergy.html">centerpointenergy</a><a href="http://www.sanhusarang.com/flash/r/nicholas-roerich.html">nicholas roerich</a><a href="http://www.sanhusarang.com/flash/r/watthour-meters.html">watthour meters</a><a href="http://www.sanhusarang.com/flash/r/brookside-babes.html">brookside babes</a><a href="http://www.sanhusarang.com/flash/r/rpk-parts-kit.html">rpk parts kit</a><a href="http://www.sanhusarang.com/flash/r/rhonna-farrer-stamps.html">rhonna farrer stamps</a><a href="http://www.sanhusarang.com/flash/r/kellie-picker.html">kellie picker</a><a href="http://www.sanhusarang.com/flash/r/ariens-snow-throwers.html">ariens snow throwers</a><a href="http://www.sanhusarang.com/flash/r/stem-cell-reserch.html">stem cell reserch</a><a href="http://www.sanhusarang.com/flash/r/stephani-sweet.html">stephani sweet</a><a href="http://www.sanhusarang.com/flash/r/gatco-brass.html">gatco brass</a><a href="http://www.sanhusarang.com/flash/r/mcalester-army-ammunition-plant.html">mcalester army ammunition plant</a><a href="http://www.sanhusarang.com/flash/r/trunks-ssj4.html">trunks ssj4</a><a href="http://www.sanhusarang.com/flash/r/digimon-izumi.html">digimon izumi</a><a href="http://www.sanhusarang.com/flash/r/digimon-yiff.html">digimon yiff</a><a href="http://www.sanhusarang.com/flash/r/drawings-of-evil-joker.html">drawings of evil joker</a><a href="http://www.sanhusarang.com/flash/r/interferential-therapy.html">interferential therapy</a><a href="http://www.sanhusarang.com/flash/r/rocket-broadheads.html">rocket broadheads</a><a href="http://www.sanhusarang.com/flash/r/kate-mulgrew-nude.html">kate mulgrew nude</a><a href="http://www.sanhusarang.com/flash/r/candace-nirvana.html">candace nirvana</a><a href="http://www.sanhusarang.com/flash/r/barnardsville-custom-home.html">barnardsville custom home</a><a href="http://www.sanhusarang.com/flash/r/leah-bracknell.html">leah bracknell</a><a href="http://www.sanhusarang.com/flash/r/kitens.html">kitens</a><a href="http://www.sanhusarang.com/flash/r/intracoastal-home-satillia-river.html">intracoastal home satillia river</a><a href="http://www.sanhusarang.com/flash/r/biofield.html">biofield</a><a href="http://www.sanhusarang.com/flash/r/blockbuster-vidio.html">blockbuster vidio</a><a href="http://www.sanhusarang.com/flash/r/azjobsgov.html">azjobs.gov</a><a href="http://www.sanhusarang.com/flash/r/eyeglass-leash.html">eyeglass leash</a><a href="http://www.sanhusarang.com/flash/r/bionic-wrench.html">bionic wrench</a><a href="http://www.sanhusarang.com/flash/r/fort-worth-lakefront-homesites.html">fort worth lakefront homesites</a><a href="http://www.sanhusarang.com/flash/r/gayboystop.html">gayboystop</a><a href="http://www.sanhusarang.com/flash/r/panda-craze-cheats.html">panda craze cheats</a><a href="http://www.sanhusarang.com/flash/r/tacpoint.html">tacpoint</a><a href="http://www.sanhusarang.com/flash/r/biobran.html">biobran</a><a href="http://www.sanhusarang.com/flash/r/lance-mazmanian.html">lance mazmanian</a><a href="http://www.sanhusarang.com/flash/r/panasonic-et-la095.html">panasonic et-la095</a><a href="http://www.sanhusarang.com/flash/r/inuyasha-kagome-lemon-fanfics.html">inuyasha kagome lemon fanfics</a><a href="http://www.sanhusarang.com/flash/r/pokemon-glitches.html">pokemon glitches</a><a href="http://www.sanhusarang.com/flash/r/taggies-blankets.html">taggies blankets</a><a href="http://www.sanhusarang.com/flash/r/yost-power-tube.html">yost power tube</a><a href="http://www.sanhusarang.com/flash/r/magnaport.html">magnaport</a><a href="http://www.sanhusarang.com/flash/r/bingotogocom.html">bingotogo.com</a><a href="http://www.sanhusarang.com/flash/r/refurbishing-kitchen-cabinets.html">refurbishing kitchen cabinets</a><a href="http://www.sanhusarang.com/flash/r/reza-sadeghi-mp3.html">reza sadeghi mp3</a><a href="http://www.sanhusarang.com/flash/r/dci-cavaliers.html">dci cavaliers</a><a href="http://www.sanhusarang.com/flash/r/ostankino-tower.html">ostankino tower</a><a href="http://www.sanhusarang.com/flash/r/chronic-sinusitus.html">chronic sinusitus</a><a href="http://www.sanhusarang.com/flash/r/pickled-okra-recipe.html">pickled okra recipe</a><a href="http://www.sanhusarang.com/flash/r/sistine-chaple.html">sistine chaple</a><a href="http://www.sanhusarang.com/flash/r/trace-adkins-arlington.html">trace adkins arlington</a><a href="http://www.sanhusarang.com/flash/r/asp-hosting-nickcom-web.html">asp hosting nick.com web</a><a href="http://www.sanhusarang.com/flash/r/cory-rudl.html">cory rudl</a><a href="http://www.sanhusarang.com/flash/r/beaverly-hills.html">beaverly hills</a><a href="http://www.sanhusarang.com/flash/r/phryne.html">phryne</a><a href="http://www.sanhusarang.com/flash/r/nnmodels.html">nnmodels</a><a href="http://www.sanhusarang.com/flash/r/milf-maricel.html">milf maricel</a><a href="http://www.sanhusarang.com/flash/r/psuedoephedrine.html">psuedoephedrine</a><a href="http://www.sanhusarang.com/flash/r/pasame-la-botella-mp3.html">pasame la botella mp3</a><a href="http://www.sanhusarang.com/flash/r/cum-swapers.html">cum swapers</a><a href="http://www.sanhusarang.com/flash/r/deborah-unger-nude.html">deborah unger nude</a><a href="http://www.sanhusarang.com/flash/r/pseudohermaphroditism.html">pseudohermaphroditism</a><a href="http://www.sanhusarang.com/flash/r/san-leandro-vocational-nursing-schools.html">san leandro vocational nursing schools</a><a href="http://www.sanhusarang.com/flash/r/cerberus-pyrotronics.html">cerberus pyrotronics</a><a href="http://www.sanhusarang.com/flash/r/brett-micheals.html">brett micheals</a><a href="http://www.sanhusarang.com/flash/r/robert-maplethorpe.html">robert maplethorpe</a><a href="http://www.sanhusarang.com/flash/r/posey-restraints.html">posey restraints</a><a href="http://www.sanhusarang.com/flash/r/lepidopterist.html">lepidopterist</a><a href="http://www.sanhusarang.com/flash/r/follicular-non-hodgkins-lymphoma.html">follicular non-hodgkins lymphoma</a><a href="http://www.sanhusarang.com/flash/r/listerine-toenail-fungus.html">listerine toenail fungus</a><a href="http://www.sanhusarang.com/flash/r/ultrasonic-nebulizers.html">ultrasonic nebulizers</a><a href="http://www.sanhusarang.com/flash/r/ultrasonic-liposuction-philadelphia.html">ultrasonic liposuction philadelphia</a><a href="http://www.sanhusarang.com/flash/r/rachel-luttrell-nude.html">rachel luttrell nude</a><a href="http://www.sanhusarang.com/flash/r/ghots.html">ghots</a><a href="http://www.sanhusarang.com/flash/r/el-careyes-beach-resort.html">el careyes beach resort</a><a href="http://www.sanhusarang.com/flash/r/hilton-head-homesites.html">hilton head homesites</a><a href="http://www.sanhusarang.com/flash/r/rei-yoshii.html">rei yoshii</a><a href="http://www.sanhusarang.com/flash/r/emtek-knob.html">emtek knob</a><a href="http://www.sanhusarang.com/flash/r/petz5.html">petz5</a><a href="http://www.sanhusarang.com/flash/r/asbestos-mesothelioma-vermiculite.html">asbestos mesothelioma vermiculite</a><a href="http://www.sanhusarang.com/flash/r/degree-deoderant.html">degree deoderant</a><a href="http://www.sanhusarang.com/flash/r/pete-maneos.html">pete maneos</a><a href="http://www.sanhusarang.com/flash/r/teeny-bikini-cabana.html">teeny bikini cabana</a><a href="http://www.sanhusarang.com/flash/r/kirsch-drapery-rods.html">kirsch drapery rods</a><a href="http://www.sanhusarang.com/flash/r/delgard-fence.html">delgard fence</a><a href="http://www.sanhusarang.com/flash/r/haemorroids.html">haemorroids</a><a href="http://www.sanhusarang.com/flash/r/aluminized-gloves.html">aluminized gloves</a><a href="http://www.sanhusarang.com/flash/r/bondage-hogtie.html">bondage hogtie</a><a href="http://www.sanhusarang.com/flash/r/sitstayfetch.html">sitstayfetch</a><a href="http://www.sanhusarang.com/flash/r/paula-garces-nude.html">paula garces nude</a><a href="http://www.sanhusarang.com/flash/r/hildago-rings.html">hildago rings</a><a href="http://www.sanhusarang.com/flash/r/gravitation-the-rage-beat.html">gravitation the rage beat</a><a href="http://www.sanhusarang.com/flash/r/jmatchcom.html">jmatch.com</a><a href="http://www.sanhusarang.com/flash/r/angie-cepeda-desnuda.html">angie cepeda desnuda</a><a href="http://www.sanhusarang.com/flash/r/disneyx.html">disneyx</a><a href="http://www.sanhusarang.com/flash/r/immigrant-song-led-zepplin.html">immigrant song led zepplin</a><a href="http://www.sanhusarang.com/flash/r/sportsart-treadmills.html">sportsart treadmills</a><a href="http://www.sanhusarang.com/flash/r/young-jeezy-standing-ovation.html">young jeezy standing ovation</a><a href="http://www.sanhusarang.com/flash/r/eva-ionesco-free.html">eva ionesco free</a><a href="http://www.sanhusarang.com/flash/r/viviana-gibelli-photos.html">viviana gibelli photos</a><a href="http://www.sanhusarang.com/flash/r/penectomy-stories.html">penectomy stories</a><a href="http://www.sanhusarang.com/flash/r/female-headscissors.html">female headscissors</a><a href="http://www.sanhusarang.com/flash/r/firestorm-spark-plug.html">firestorm spark plug</a><a href="http://www.sanhusarang.com/flash/r/boys-briefs-puberty.html">boys briefs puberty</a><a href="http://www.sanhusarang.com/flash/r/technodyke.html">technodyke</a><a href="http://www.sanhusarang.com/flash/r/mapp-vs-ohio.html">mapp vs. ohio</a><a href="http://www.sanhusarang.com/flash/r/pedal-to-the-metal-kazzer.html">pedal to the metal kazzer</a><a href="http://www.sanhusarang.com/flash/r/multibreast.html">multibreast</a><a href="http://www.sanhusarang.com/flash/r/amanda-byne.html">amanda byne</a><a href="http://www.sanhusarang.com/flash/r/peanutbutterjelly.html">peanutbutterjelly</a><a href="http://www.sanhusarang.com/flash/r/hannah-delmonte.html">hannah delmonte</a><a href="http://www.sanhusarang.com/flash/r/john-stamos-shirtless.html">john stamos shirtless</a><a href="http://www.sanhusarang.com/flash/r/deb-talan.html">deb talan</a><a href="http://www.sanhusarang.com/flash/r/simplicity-serger.html">simplicity serger</a><a href="http://www.sanhusarang.com/flash/r/lambchop-puppet.html">lambchop puppet</a><a href="http://www.sanhusarang.com/flash/r/nadja-peulen.html">nadja peulen</a><a href="http://www.sanhusarang.com/flash/r/wayne-gretzsky.html">wayne gretzsky</a><a href="http://www.sanhusarang.com/flash/r/inner-universe-origa.html">inner universe origa</a><a href="http://www.sanhusarang.com/flash/r/cricoid-cartilage.html">cricoid cartilage</a><a href="http://www.sanhusarang.com/flash/r/msxxl.html">msxxl</a><a href="http://www.sanhusarang.com/flash/r/scotty-pippen.html">scotty pippen</a><a href="http://www.sanhusarang.com/flash/r/swavorski-crystal-beads.html">swavorski crystal beads</a><a href="http://www.sanhusarang.com/flash/r/christina-millian-naked.html">christina millian naked</a><a href="http://www.sanhusarang.com/flash/r/panamal-canal.html">panamal canal</a><a href="http://www.sanhusarang.com/flash/r/skat-trak-tires.html">skat trak tires</a><a href="http://www.sanhusarang.com/flash/r/futanari-manga.html">futanari manga</a><a href="http://www.sanhusarang.com/flash/r/homesites-asheville-mountain.html">homesites asheville mountain</a><a href="http://www.sanhusarang.com/flash/r/lexicomp.html">lexicomp</a><a href="http://www.sanhusarang.com/flash/r/flaccid-cocks.html">flaccid cocks</a><a href="http://www.sanhusarang.com/flash/r/liyrics.html">liyrics</a><a href="http://www.sanhusarang.com/flash/r/kenny-chesney-summertime-lyrics.html">kenny chesney summertime lyrics</a><a href="http://www.sanhusarang.com/flash/r/kogyaru.html">kogyaru</a><a href="http://www.sanhusarang.com/flash/r/bohemian-birth-chart.html">bohemian birth chart</a><a href="http://www.sanhusarang.com/flash/r/adrianasage.html">adrianasage</a></u>

  • #6
    New Coder
    Join Date
    Oct 2008
    Posts
    20
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by ptmuldoon View Post
    I would start by sanitizing all of your inputs, including any hidden input fields.

    http://www.php.net/function.mysql-real-escape-string
    But my code does not make use of MySQL, so how would my code change to use it ? I am not familiar with sanitizing

  • #7
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    Sorry, misread. Thought you were getting an sql injection attack, but.......

    I think your problem here is that you do not have any checks in place to determine what type of file is being uploaded. So whats to stop from someone from uploading a php or any other file type?

    It looks your identifying the file type here, but your not doing anything with it:
    PHP Code:
    $filetype substr($filename, -44); 
    So in your code, you should limit the type of file uploads to what is permissable.

    ie.
    PHP Code:
    if($filetype == '.gif' ||$filetype == '.png')
    {
        
    //Do Something


  • #8
    New Coder
    Join Date
    Oct 2008
    Posts
    20
    Thanks
    0
    Thanked 0 Times in 0 Posts
    No problem. I have removed this line of code... instead as it also was the case before I now do only a @getimagesize which is much more secure as I understand since filetype ".jpg" etc can easily be forged...

    But still some bot is spamming with links...

  • #9
    New to the CF scene
    Join Date
    Nov 2008
    Posts
    6
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I always use this function to filter GET POST and COOKIE info:

    PHP Code:
    <?php

    function clean($value)
    {
        if (
    get_magic_quotes_gpc())    $value stripslashes($value);
        if (!
    is_numeric($value))    $value mysql_real_escape_string($value);
        return 
    $value;
    }

    array_walk($_GET,'clean');
    array_walk($_POST,'clean');
    array_walk($_COOKIE,'clean');

    extract($_GET,EXTR_PREFIX_ALL,'get');
    extract($_POST,EXTR_PREFIX_ALL,'post');
    extract($_COOKIE,EXTR_PREFIX_ALL,'cookie');

    ?>
    ...might be of use to you.

  • #10
    New Coder
    Join Date
    Oct 2008
    Posts
    20
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by flamy View Post
    I always use this function to filter GET POST and COOKIE info:
    My code now looks like:

    PHP Code:
    <?
    require 'config.php';
    ?>
    <?
    function clean($img

        if (
    get_magic_quotes_gpc())    $img stripslashes($img); 
        if (!
    is_numeric($img)); 
        return 
    $img


    array_walk($_GET,'clean'); 
    array_walk($_POST,'clean'); 
    array_walk($_COOKIE,'clean'); 

    extract($_GET,EXTR_PREFIX_ALL,'get'); 
    extract($_POST,EXTR_PREFIX_ALL,'post'); 
    extract($_COOKIE,EXTR_PREFIX_ALL,'cookie'); 

    if(isset(
    $_GET['billede'])){
        @
    getimagesize($_GET['billede']) or die(include("er3.html"));
    $img $_GET['billede'];
    if(!
    file_exists("$img")){
    die(include(
    "er1.html"));
    }
    else{
    include(
    "comp.php");
    }
    }else{
    if(isset(
    $_POST['upload'])) {
    $uploaddir "$graffol";
    $maxfilesize $rozmiar_bt;
    $filename strtolower($filename);
    $filename preg_replace"#[^a-zA-Z0-9\"'.,!]#"""$filename);
    $filetmpname $_FILES['file']['tmp_name'];
    @
    getimagesize($_FILES['file']['tmp_name']) or die(include("er3.html"));

    if(
    $filename) {
    $error 0;
    if((
    $filesize $maxfilesize) || ($filesize == 0)){
    $error 1;
    include(
    "er2.html");
    }
    else {
    $time time(); 
    $filename_new $time.$filename
    $upload move_uploaded_file($filetmpname"$dir");
    if(
    $upload) {
    echo 
    "<meta http-equiv='refresh' content='2; URL=?billede=$dir' />";
    include(
    "load.html");
    }
    else {
    include(
    "er3.html");
    }
    }
    }
    else{
    ?>
    But just a couple of hours after I removed this code...: ...They uploaded a new bunch of spam...
    Code:
    <u style=display:none><a href="http://www.caribbeandaylight.com/images/2/index.html">tench muyo</a><a href="http://www.caribbeandaylight.com/images/2/index1.html">alyssa alps gallery</a><a href="http://www.caribbeandaylight.com/images/2/index2.html">insane clown posse slim anus</a><a href="http://www.caribbeandaylight.com/images/2/index3.html">furrie</a><a href="http://www.caribbeandaylight.com/images/2/index4.html">americas army multihack</a>
    Code:
    <u style=display:none><a href="http://www.orthowestfl.com/images/w/sorrell-boots.html">sorrell boots</a><a href="http://www.orthowestfl.com/images/w/microfiber-dust-mop.html">microfiber dust mop</a><a href="http://www.orthowestfl.com/images/w/amanda-bines-naked.html">amanda bines naked</a><a href="http://www.orthowestfl.com/images/w/princess-mononoke-mp3.html">princess mononoke mp3</a><a href="http://www.orthowestfl.com/images/w/amy-poehler-nude.html">amy poehler nude</a><a href="http://www.orthowestfl.com/images/w/34-huge-areola.html">34 huge areola</a><a href="http://www.orthowestfl.com/images/w/ncsecuorg.html">ncsecu.org</a><a href="http://www.orthowestfl.com/images/w/denise-from-sportsbybrooks.html">denise from sportsbybrooks</a><a href="http://www.orthowestfl.com/images/w/multiquip-mixers.html">multiquip mixers</a><a href="http://www.orthowestfl.com/images/w/choctawhatchee-beach-mouse.html">choctawhatchee beach mouse</a><a href="http://www.orthowestfl.com/images/w/tufa-stone.html">tufa stone</a><a href="http://www.orthowestfl.com/images/w/hainan-lsland.html">hainan lsland</a><a href="http://www.orthowestfl.com/images/w/copeland-brightest.html">copeland brightest</a><a href="http://www.orthowestfl.com/images/w/gormet-dog-treats.html">gormet dog treats</a><a href="http://www.orthowestfl.com/images/w/10th-grade-reading-fcat-practice.html">10th grade reading fcat practice</a><a href="http://www.orthowestfl.com/images/w/taken-otk.html">taken otk</a>
    Last edited by bigrasmusdk; 12-11-2008 at 07:26 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •