Good Day,
am Facing a code error with my Admin control panel PHP page.
I want to prevent any other user from accessign this page unless his job_title= admin.
it works but even the admin himslef redirects back to login page again !!
here is the code
<?php
include('db.php');
?>
<?php
// Inialize session
#session_start();
ob_start();
// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['name']) || ($_SESSION['job_title'] != "admin")) {
header('Location: index.php');
}
ob_flush();
?>
>?
<!-- STARTING HTML FORMAT !-->
?>
Any help ?
Try this, if still problems, let me know.
$_SESSION['name'] = 'dennis';
$_SESSION['job_title'] = 'admin';
if (!isset($_SESSION['name']) || (!isset($_SESSION['job_title']) ? false: ($_SESSION['job_title'] !== 'admin'))) {
echo 'Redirecting';
} else {
echo 'You\'re good! Not redirecting!';
}
This may be an easier way to understand, just put into a function.
$_SESSION['name'] = 'dennis';
$_SESSION['job_title'] = 'admin';
if (!isset($_SESSION['name']) || !isBoss()) {
echo 'Redirecting';
} else {
echo 'You\'re good! Not redirecting!';
}
function isBoss() {
if (isset($_SESSION['job_title']))
if ($_SESSION['job_title'] === 'admin')
return true;
return false;
}
I think your problem is a fubar newline :) Have added login page reference, which is unsetting the session variables you check for if logins fail.
Be very careful with where you put your <?php ?> tags - and in .inc files, such as db.php include - you may leave out the closing ?> tag on last line to avoid accidental ENTER, then CTRL + S failures, sneaking in an unwanted newline char in your output buffer (ob). IF ob_start is activated, nothing is written from server before you choose or script ends. ELSE if its not, default is that every \n will flush output and start the Content part of the payload.
login.php:
<?php
session_start(); // put this on top-most line in your script
$ok = check($_POST['user'], $_POST['pass']);
if($ok) {
$user = db_get_user_creds($_POST['user']);
$_SESSION['name'] = $user['name'];
$_SESSION['job_title'] = $user['job_title'];
} else {
// session_unset();
unset($_SESSION['name']);
unset($_SESSION['job_title']);
}
?>
admin.php
<?php
session_start(); // put this on top-most line in your script
// or, use ob_start at the very first line
// (with no widespace what so ever written out before it)
include('db.php');
?> I am writing out a newline here, session / header section is going to become unstable
<?php
// Inialize session
// #session_start(); moved up top
ob_start();
// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['name']) || ($_SESSION['job_title'] != "admin")) {
header('Location: index.php');
}
ob_flush();
?>
See the 'I am writing out newline here' bit
A little deeper down rabbithole goes; the communication flow is like this:
1) HEADERS such as
Connection: keep-alive\r\n
Content-Type: text/html\r\n (etc)
2) DOUBLE NEWLINE (one newline with no previous chars on that line)
\r\n
3) CONTENTS
Body
Of Page
Related
I have a script which I have published as a web app. I wanted to change a default setting based on the URL used to run the web app. I am already opening one of two forms, but on one form, I want to have a radio button selected based on a second passed parameter. In the server side gs file I have:
function doGet(passed) {
switch(passed.parameter.form) {
case 'single':
var result = HtmlService.createTemplateFromFile('Single').evaluate();
result.setHeight(550);
result.setWidth(565);
break;
case 'grid':
default:
var result=HtmlService.createTemplateFromFile('GridView').evaluate();
result.setHeight(550);
result.setWidth(1285);
}
return result;
}
On Google's HTML Service: Templated HTML page there is a section Pushing variables to templates which seems to be what I want but I can't get it to work.
in my Single.html file I have:
<body>
<? if (data === "Ex") { ?> Existing <? } else { ?> New <? } ?>
... </body>
The html portion above is overly simplified and getting this to work will get me to my ends, which is a much larger page with input areas, etc.
In an attempt to get "Existing" to display in the resulting page, I have changed the above code to:
function doGet(passed) {
switch(passed.parameter.form) {
case 'single':
var result = HtmlService.createTemplateFromFile('Single');
result.setHeight(550);
result.setWidth(565);
result.data = 'Ex';
return result.evaluate().setSandboxMode(HtmlService.SandboxMode.IFRAME);
break;
case 'grid':
default:
var result=HtmlService.createTemplateFromFile('GridView').evaluate();
result.setHeight(550);
result.setWidth(1285);
return result;
}
}
and get errors
TypeError: Cannot find function setHeight in object HtmlTemplate. (line 131, file "Code")
Even if I remove the setHeight and setWidth resulting in just have the data as shown on the above referenced page I get errors.
Has anyone passed a variable to a page like this?
Looks like the method calls are just in the wrong order. The result.data = 'Ex'; should be before the .evaluate(), but the .setHeight() and .setWidth() must be applied afterwards. Modifying your last example slightly:
case 'single':
var result = HtmlService.createTemplateFromFile('Single');
result.data = 'Ex';
return result.evaluate()
.setHeight(550)
.setWidth(565)
.setSandboxMode(HtmlService.SandboxMode.IFRAME);
break;
I tracked down the basic error to a missed } after your if statement in your HTML file. The code should look like:
<? if (data === "Ex") { ?> Existing <? } else { ?> New <? } ?>
I created an HTML page and now would like to hide the source code and encrypt it.
How can I do that?
You can disable the right click, but that's a bad idea because expert minds can read anything from your page.
You cannot totally hide the page source - this is not possible. Nothing is secure enough on the Internet.
In any case, you can encrypt it and set a password.
You can utilise this link - it will encrypt your HTML page with a password.
First up, disable the right click, by writing out this script, right after the tag.
<SCRIPT language=JavaScript>
<!-- http://www.spacegun.co.uk -->
var message = "function disabled";
function rtclickcheck(keyp){ if (navigator.appName == "Netscape" && keyp.which == 3){ alert(message); return false; }
if (navigator.appVersion.indexOf("MSIE") != -1 && event.button == 2) { alert(message); return false; } }
document.onmousedown = rtclickcheck;
</SCRIPT>
Then, encrypt all of it, in this website, called 'AES encryption'.
Link - http://aesencryption.net/
You need to set a password to decrypt it ....you choose the password.
After encrypting it, you can just write a basic HTML page just putting into the <head> tag once again the script to disable the right click, into the <body> tag you code and hide everything just writing at top of the page <html hidden>.
Example
<!DOCTYPE html>
<html hidden>
<head>
<SCRIPT language=JavaScript>
<!-- http://www.spacegun.co.uk -->
var message = "function disabled";
function rtclickcheck(keyp){ if (navigator.appName == "Netscape" && keyp.which == 3){ alert(message); return false; }
if (navigator.appVersion.indexOf("MSIE") != -1 && event.button == 2) { alert(message); return false; } }
document.onmousedown = rtclickcheck;
</SCRIPT>
</head>
<body>
--here, you put the encrypted code from the link above--
</body>
</html>
Where it is written var message = "function disabled"; you can write for example something like 'This page cannot be viewed' or something which will annoy most of the users and will just leave. ['This page is unavailable' and so on ....].
Finally, you will see a blank page with a message coming up as soon as you right click the page. The message will be something like 'This page is no longer active'.
Example
<SCRIPT language=JavaScript>
<!-- http://www.spacegun.co.uk -->
var message = "**This page is no longer active**";
function rtclickcheck(keyp){ if (navigator.appName == "Netscape" && keyp.which == 3){ alert(message); return false; }
if (navigator.appVersion.indexOf("MSIE") != -1 && event.button == 2) { alert(message); return false; } }
document.onmousedown = rtclickcheck;
</SCRIPT>
I do know that one can remove the <html hidden> or the Javascript script with some add-ons such as Firebug but anyway you will need to decrypt the code with a password in order to see the real page.
Expert users might view the source code with a Brute Force attack, I think.
So, nothing is safe.
I found out an application that you need to instal on your computer.
There is a feature in the Enterprise version but you must pay to get it. This feature is a tool which encrypt your HTML page creating an ultra-strong password encryption for HTML files using up to 384 bit keys for encryption [the link I wrote above uses up to 256 bit keys for encryption].
I have never tried it out, though, because it is not for free.
Anyway, the link of the software 'HTML Guardian' - http://www.protware.com/default.htm
For the feature about the encryption, merely click on 'Ultra-Strong HTML password protection' in the page.
You cannot hide the source code, but you can add some difficulties to see your source code by following way
1. Disable right-click:
<body oncontextmenu="return false">
2.Disable ctrl, u, F12 keys:
<script type="text/javascript">
function mousehandler(e) {
var myevent = (isNS) ? e : event;
var eventbutton = (isNS) ? myevent.which : myevent.button;
if ((eventbutton == 2) || (eventbutton == 3)) return false;
}
document.oncontextmenu = mischandler;
document.onmousedown = mousehandler;
document.onmouseup = mousehandler;
function disableCtrlKeyCombination(e) {
var forbiddenKeys = new Array("a", "s", "c", "x","u");
var key;
var isCtrl;
if (window.event) {
key = window.event.keyCode;
//IE
if (window.event.ctrlKey)
isCtrl = true;
else
isCtrl = false;
}
else {
key = e.which;
//firefox
if (e.ctrlKey)
isCtrl = true;
else
isCtrl = false;
}
if (isCtrl) {
for (i = 0; i < forbiddenKeys.length; i++) {
//case-insensitive comparation
if (forbiddenKeys[i].toLowerCase() == String.fromCharCode(key).toLowerCase()) {
return false;
}
}
}
return true;
}
</script>
3. Add to lots of white spaces to before you staring your codes
it may fool someone
There isn't really anyway to do it that would stop a someone who is sophisticated.
There isn't really a way to do that. Perhaps the only thing you could do is to disable the right click feature via JavaScript, but still that wouldn't stop a user who's experienced enough to copy it. However, check this out.
for php, separate the code you don't want seen from the rest of your code with:
<?php
for($i=0;$i<1000000;$i++){
echo "\n";
}
?>
<some html="what you want to hide">
<?php
for($i=0;$i<1000000;$i++){
echo "\n";
}
?>
This will effectively kill the view source aspect (at least for a few minutes)
if it is a viewing source, he will not wait for the results.
Also, this does not seem to slow the page load
I know, it's a little late, but I guess you are looking for something called obfuscation. For Javascript files for example are many obfuscation tools available that you can use for the build process of your webpage. The code is transferred in an unreadable format. Some VPS providers are offers plugins that run during the build process and do that job for you.
As many have said, there's no real way to hide source code. There's been some good suggestions but I haven't seen this. This will encode it so nobody can read it, and it will 100% work for HTML. Only thing is anyone smarter than a light bulb will be able to decode it the same way it was encoded. You also cannot encode JavaScript or PHP; HTML only. developers.evrsoft.com offers a free encoder. But again, it can be decoded as quickly as it was encoded.
It'll look like this:
<h1>This will be encoded</h1>
Will be:
<script>
<!--
document.write(unescape("%3Ch1%3EThis%20will%20be%20encoded%3C/h1%3E"));
//-->
</script>
Again, don't encode PHP or JS.
I've created a page where I have two input textareas and I add CKeditor (ver. 4) to both of them.
The first editor works fine, I've set config.allowedContent = true; in the config.js to stop stripping tags like <script> and everything works as expected.
I have another editor right below it, same settings, same setup, I just changed the ID of the textarea field. It works when I submit normal text, but as soon as I add a <script> tag, for example, and press the submit button of the form in which the editors are in it seems to reload the page, doesn't submit any data and firebug tells me that the server returns 403.
I tried isolating the editor, adding personal configuration. Nothing. The first textarea works like a charm, second one returns 403 if the text has unsafe tags in it.
My setup is as follows, I'm using this ckeditor helper to insert the editors where I need. Page is created with CodeIgniter as you guessed.
I got a config.js file in ckeditor folder.
I'm using a regular form, nothing fancy about it. It looks like this
<form action="http://domain.com/admin/articles/edit/47" method="post">
<div id="cke_ckeditor_en_container">
<textarea cols="75" rows="7" id="ckeditor_en" name="text_en" class="input-text is-col-text"><?php echo set_value('text_en', isset($text_en) ? htmlspecialchars_decode($text_en) : ''); ?></textarea>
<?php echo display_ckeditor($ckeditor_en); ?>
</div>
<input type="submit" value="submit" />
</form>
The form has another part of html for the other editor which is the same, with changed id and other attributes, and a checkbox, nothing relevant.
And got this in my controller
public function edit(){
$this->load->helper('ckeditor');
$id = (int)$this->uri->segment(4);
if (empty($id)){
$this->session->set_flashdata('error', 'Empty ID!');
redirect('admin/articles');
}
$data = $this->articles_model->fetch_article($id);
$data['page_title'] = "Edit `" . $data['title'] . "`";
$data['form_url'] = "admin/articles/edit/" . $id;
$data['ckeditor'] = array(
'id' => 'ckeditor',
'path' => 'js/ckeditor');
$data['ckeditor_en'] = array(
'id' => 'ckeditor_en',
'path' => 'js/ckeditor');
$data['edit'] = true;
if($this->input->post('submit')){
$this->save_article("update",$id);
}
$this->load->view("admin/articles",$data);
}
private function save_article($type='insert', $id=0){
$this->load->library('form_validation');
$this->form_validation->set_rules('title','Title','trim|xss_clean|max_length[150]|min_length[1]');
$this->form_validation->set_rules('text','Text','trim');
$this->form_validation->set_rules('title_en','Title EN','trim|xss_clean|max_length[150]|min_length[1]');
$this->form_validation->set_rules('text_en','Text EN','trim');
$this->form_validation->set_rules('top_menu','Show in top menu','trim|xss_clean|max_length[1]');
if ($this->form_validation->run() === FALSE)
{
return FALSE;
}
// make sure we only pass in the fields we want
$data = array();
$data['title'] = $this->input->post('title');
$data['text'] = htmlspecialchars($this->input->post('text'));
$data['title_en'] = $this->input->post('title_en');
$data['text_en'] = htmlspecialchars($this->input->post('text_en'));
$data['url'] = $this->toAscii($this->input->post('title'));
$data['url_en'] = $this->toAscii($this->input->post('title_en'));
$data['top_menu'] = $this->input->post('top_menu');
if($type == "insert"){
$data['time'] = date("YmdHis");
}
if ($type == 'insert'){
if($this->articles_model->insert($data)){
$this->session->set_flashdata('success', 'Article added successfully!');
}else{
$this->session->set_flashdata('error', 'An error occured!');
}
}else if ($type == 'update'){
if($this->articles_model->update($id, $data)){
$this->session->set_flashdata('success', 'Article `' . $data['title'] . '` edited successfully!');
}else{
$this->session->set_flashdata('error', 'An error ecc!');
}
}
redirect("admin/articles");
}
Safety, or unsafeness, to be exact, of my code is not relevant
edit
Adding config.js for ckeditor.
CKEDITOR.editorConfig = function( config ) {
config.filebrowserBrowseUrl = '/js/kcfinder/browse.php?type=files';
config.filebrowserImageBrowseUrl = '/js/kcfinder/browse.php?type=images';
config.filebrowserFlashBrowseUrl = '/js/kcfinder/browse.php?type=flash';
config.filebrowserUploadUrl = '/js/kcfinder/upload.php?type=files';
config.filebrowserImageUploadUrl = '/js/kcfinder/upload.php?type=images';
config.filebrowserFlashUploadUrl = '/js/kcfinder/upload.php?type=flash';
config.removeButtons = 'Underline,Subscript,Superscript';
config.allowedContent = true;
// Se the most common block elements.
config.format_tags = 'p;h1;h2;h3;pre';
// Make dialogs simpler.
config.removeDialogTabs = 'image:advanced;link:advanced';
};
I'm stumped and stupified, I've got no ideas on what to do. It seems that the one input has been cursed.
Any help appreciated, thank you.
This would be the result of your mod_security rules. Depending on how strict they are they help better protect scripts from being hacked through vulnerabilities, generally those exploited via POST's.
As I understand you are trying to add something to your second textarea. And CKEditor removing some "unsafe" tags. I won't be very secure, but this can help you:
config.extraAllowedContent = '*{*}';
You will add this to your config.js. This code provides you to add anything you want. And CKEditor won't delete "unsafe" tags.
Documenation for this method
https://www.bilisimkitabi.com/403-error-on-submit-of-ckeditor
You can add to following code in your .htaccess file
#ckeditor Post 403 problem
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
#ckeditor Post 403 problem
I am new to cakePHP and I am tring the blog example of cakePHP 1.3 book .
I correctly upload image in this blog example.The image name in database and image in DOCUMENT_ROOT/....correctly
but now I am wanted to show image in my blog with related post.
I am using this code for image upload...
function add() {
if (!empty($this->data)) {
if(isset($this->data["Image"]["image"]["name"])){
$file = new File($this->data["Image"]["image"]["name"]);
$ext = $file->ext();
if ($ext != 'jpg' && $ext != 'jpeg' && $ext != 'gif' && $ext != 'png') {
$this->Session->setFlash('You may only upload image files.');
}else{
if(move_uploaded_file($this->data["Image"]["image"] ["tmp_name"],$_SERVER["DOCUMENT_ROOT"]."test_om/blog/app/webroot/img/upload_image/"
. $this->data["Image"]["image"]["name"]) == true){
$this->data["Post"]["image"] = $this->data["Image"]["image"]["name"];
}
$this->Post->save($this->data);
$this->Session->setFlash('Your post has been saved.');
$this->redirect(array('action' => 'index'));
}
}
}
}
and i am showing image form this code
<?php echo $this->Html->image('/img/upload_image/1.gif'); ?>
and this show same image with all post.
but i am wanted to set specfic image with its related post....
If you are sure you are getting everything correct (in the database and the file where it should be) you should use something like this in the view.
<?php echo $this->Html->image($this->data['Post']['image']); ?>
this is assuming you are passing the data from the controller in the way described in the tutorial to a view view :)
if is an index view you should have a variable posts that have all post info, and in the view you will be in a loop like a foreach ($post as $post). Assuming this your view should have something like this:
<?php echo $this->Html->image($post['Post']['image']); ?>
Suggestion: use debug kit (cakephp plugin) so you can see what variables are passed down and the structure (like a pr($variable))
Hope all this helps you, if not, comment this post so i can try to extend my answer if needed
I would like to have a customer popup window appear on a page after the insert to mySQL is completed.
I have the "header" going to a particular page, but I would also like to have a custom popup window appear after the page loads.
Here is my current php script. Everything works, but I need to add a popup window based on a success or failure.
<?
.........
if ($result) {
header("location: inv_fc.php"); //NEED TO ADD A CUSTOM POPUP FOR SUCCESS
}
else {
header("location: inv_fc.php"); //NEED TO ADD A CUSTOM POPUP FOR FAILURE
}
?>
Use session variables.
Start the session with session_start(), and then set the session variables using the $_SESSION array. Then in inv_fc.php, check for the existence of the session variable (you must also call session_start() in this file).
So, something like
session_start();
$_SESSION['success'] = ($result) ? TRUE : FALSE;
header('location: inv_fc.php');
// inside inv_fc.php
session_start();
if ($_SESSION['success'] == TRUE) {
// do success stuff
} else {
// do failure stuff
}
where we've used the ternary operator.
header("location: inv_fc.php?success=" . ($result ? 'y' : 'n'));
would be the easiest, then just look for that 'sucess' query parameter in the new page:
if ($_GET['success'] == 'y') {
... success ...
} else {
... epic fail ...
}