This is how I call the editor:
new nicEditor({
buttonList : ['bold','italic','underline','upload'],
iconsPath:'img/nicedit.png',
uploadURI : 'http://server.com/integracion/files/nicUpload.php'
}).panelInstance(textareaId);
And the .php file exists ( and I the one in the Docs, and I updated the target paths )
/* I want them here http://server.com/integracion/files/uploads/ so... */
define('NICUPLOAD_PATH', './uploads'); // Set the path (relative or absolute) to
// the directory to save image files
define('NICUPLOAD_URI', '/uploads'); // Set the URL (relative or absolute) to
// the directory defined above
But I on response when upload completes (and of corse an alert from nicedit..)
<script>
try {
top.nicUploadButton.statusCb({"error":"Invalid Upload ID"});
} catch(e) { alert(e.message); }
</script>
what am I missing?
-EDIT
I think the problem might be in the php file:
$id = $_POST['APC_UPLOAD_PROGRESS']; /* APC is installed and enabled */
if(empty($id)) {
$id = $_GET['id'];
}
FINAL EDIT:
I have managed to make this work!
Here is an working example:
http://simplestudio.rs/yard/nicedit/
Uploaded images are going to be stored here:
http://simplestudio.rs/yard/nicedit/images/
And here is the whole code, just unpack it and put on your server, mainly I needed to adjust nicEdit.js because it had some issues.
http://simplestudio.rs/yard/nicedit/nicedit.rar
Just make your code with that js file and by looking at my example, it will work :)
Also you need to have php APC installed so that this script can work:
http://php.net/manual/en/apc.installation.php
If you by any mean have some problems I am here to solve it.
I will not delete this example on my server so that everybody who have this issue can freely download it...
The code responsible for image upload is the method uploadFile, it is looking for uploadURI option parameter.
You will need to modify onUploaded event handler to parse your custom response instead of the imgur's one (sample). By default it expects at least {"upload": { "links": {"original": "http://..."}, "image": {"width": "123" } }}.
I'm sorry but I can't help with the FormData() handling server side with PHP.
For more information you can try out the demo page on the nicEdit web site using Firebug or WebInspector to snoop the network requests, and, of course, the source code.
Related
My WordPress site infected with some malware files , found lot of files like below,
I tried to decode that using some online decoders, but no luck. I want to know what hacker do using this file.
I guess he control some more files on my sites but scanner only detect this code, by decode this hope to find other file paths
Paths of file found are given below
wp-includes/rest-api/requests.ini
wp-includes/Requests/IPconfig.ini
below have little part of file
Here have full file in pastebin https://pastebin.com/EfUNTaRr
if(empty($_GET['ineedthispage'])){
ini_set('display_errors',"Off");
ignore_user_abort(1);
$I7rKRVNNat3intmYmv="10.1";
$IssgsfYr3WZGty="";
$IL8lxLZy5SGibS7od="";
$IGvpZBegv061k="";
if(!empty($_COOKIE['PHPSSIDDD2'])){
$IGvpZBegv061k=$_COOKIE['PHPSSIDDD2'];
}
$IvVtGi5vH1edafW="RE3PUldBWUlTV4";
if(!IIlFCqjaR5JVZ33VAo('curl_init')){
$IssgsfYr3WZGty.="1\t";
$IL8lxLZy5SGibS7od.="1\t";
}
if(!IIlFCqjaR5JVZ33VAo('fopen')){
can someone decode that file on paste bin. Thank You
I used phpcs-fixer for some pretty view of this script. You can see it here. I don't spend much time for decoding, so I can be wrong in my reasoning =)
Function IIlFCqjaR5JVZ33VAo is like improved function_exists which check if function exists and is callable and not disabled (get from ini)
function __function_exists($functionName)
{
$functionName=strtolower(trim($functionName));
if ($functionName=='') {
return false;
}
$disabledFunctions=explode(",", #ini_get("disable_functions"));
if (empty($disabledFunctions)) {
$disabledFunctions=array();
} else {
$disabledFunctions=array_map('trim', array_map('strtolower', $disabledFunctions));
}
return (function_exists($functionName) && is_callable($functionName) && !in_array($functionName, $disabledFunctions));
}
Script collect many things in files. File names encoded by this rules:
// this is like file hash
$ItZg0lwPNAV8rSZCcknwRw6=md5(__FILE__);
// ... some other stuff and define directory like {path_to_file}/cache{file_hash}
$Id3jh7jnThGJnxV0=dirname(__FILE__).DIRECTORY_SEPARATOR."cache".$ItZg0lwPNAV8rSZCcknwRw6;
// and then file stored in defined dir
$Id3jh7jnThGJnxV1=$Id3jh7jnThGJnxV0.DIRECTORY_SEPARATOR."ke".substr($ItZg0lwPNAV8rSZCcknwRw6, 0, 8)."ys";
// and so on for [keys, useragents, botips, referers, ...] with interesting logic which I don'tfully understand
And then some data sends to http://main.infowp.info/getdata.php. But I'm not sure. Why this domain? You can see it here
And it determines which CMS used: WP, Drupal or Joomla by check if specific function and class exists: wp_insert_post, node_save, JFactory.
Hey there so I have sent in a support ticket to go daddy but they aren't being very helpful. In an admin panel for one of my client's websites there is an AJAX image uploader. Normally I don't work with Go Daddy and the script has always worked just fine with other hosts. However this client has forced me into dealing with Go Daddy's mess of a system and I am having trouble getting the AJAX image uploader to work.
The problem seems to be that the $_SERVER['HTTP_X_FILENAME'] is simply not defined, even when a file is posted to PHP using an HTTP request.
In my PHP code I have the following line to grab the file name:
$fn = (isset($_SERVER['HTTP_X_FILENAME']) ? $_SERVER['HTTP_X_FILENAME'] : false);
And on Go Daddy it returns false. Also if I print_r($_SERVER); HTTP_X_FILENAME isn't even defined.
I have checked permissions and everything has the correct permisssions. I have checked the error log and no error is being generated. I have checked the php.ini and file uploads is enabled with a 32mb max (way bigger than any file i'v tested with)
I have no idea where to look now as my google searches have come up with nothing. (And server admin really isn't my forte)
any help would be much appreciated.
thanks!!
Ok, I got this working. Not sure how you manage saving files on pw when using admin. Do they got saved directly to assets/files/id/ folder or is there tmp somewhere?
// We check if it is image upload
$filename = (isset($_SERVER['HTTP_X_FILENAME']) ? $_SERVER['HTTP_X_FILENAME'] : false);
if ($filename) {
$this->message("It is a file coming!");
file_put_contents(
'C:/Temp/' . $filename,
file_get_contents('php://input')
);
} else {
if(!$this->isAjaxPost) throw new WireException("This functionality may only be accessed from AJAX POST at present");
// etc etc...
}
And now I am able to save my files to C:/Temp/. Not sure about the best way to handle this from this situation? Save it to temp folder and use regular pw API and save the file? Or save it right to assets/files/id/ folder and then use API? I can easily send more data (like field name) as a http headers.
If we save it directly to right place (probably safe since this is admin usage), how I get the right path? $config->paths->files->3242 or something like that?
I have a music player that links to a song using the following syntax:
<li>title</li>
Is there any way that I could have that executed server side and then be displayed like (see below) for the user?
While searching, I ran across this...I like the idea behind having an external file that has the data...like:
<?php
// get-file.php
// call with: http://yoururl.com/path/get-file.php?id=1
$id = (isset($_GET["id"])) ? strval($_GET["id"]) : "1";
// lookup
$url[1] = 'link.mp3';
$url[2] = 'link2.mp3';
header("Location: $url[$id]");
exit;
?>
then using: http://yoururl.com/path/get-file.php?id=1 as the link...the only problem is that when you type http://yoururl.com/path/get-file.php?id=1 the user goes straight to the file...is there any way to disable that ability...maybe some code on get-file.php itself?
Ok, so I did a combination of things that I am satisfied with...although not completely secure, it definitely helped me obscure it quite a bit.
First of all, I am using the AudioJS player to play music - which can be found: http://kolber.github.com/audiojs/
Basically what I did was:
Instead of using "data-src" as the path to my songs I called it "key", that way people wouldn't necessarily think it was a path.
Instead of using "my-song-title" as the name of the songs, I changed it to a number like 7364920, that way people couldn't look for that in the source and find the url that way.
I added + "mp3" to the javascript code after all of the "key" variables, that way I would not have to declare it in obfusticated link.
I used a relative path like "./8273019283/" instead of "your-domain.com/8273019283/", that way it would be harder to tell that I was displaying a url.
Added an iTunes link to the href, that way people might get confused as to how I was pulling the file.
So, now my inline javascript looks like:
<script type="text/javascript">
$(function() {
// Play entire album
var a = audiojs.createAll({
trackEnded: function() {
var next = $("ul li.playing").next();
if (!next.length) next = $("ul li").first();
next.addClass("playing").siblings().removeClass("playing");
audio.load($("a", next).attr("key") + "mp3");
audio.play();
}
});
// Load the first song
var audio = a[0];
first = $("ul a").attr("key") + "mp3";
$("ul li").first().addClass("playing");
audio.load(first);
// Load when clicked
$("ul li").click(function(e) {
e.preventDefault();
$(this).addClass("playing").siblings().removeClass("playing");
audio.load($('a', this).attr('key') + "mp3");
audio.play();
});
});
</script>
My link looks like:
Falling
When you load it up in the browser and you view the source you'll see:
Falling
Then when you use Web Inspector or Firebug you'll see:
Falling - *which doesn't completely give the url away
Basically what I did was make the link look like it's an api-key of some-kind. The cool thing is that you can't just copy the link straight from view source or straight from Web Inspector/Firebug. It's not fool-proof, and can definitely be broken, but the user would have to know what they're doing. It keeps most people away, yet still allows the player to get the url it needs to play the song :)
*also, I got the php obfusticate script from somewhere on Stack Exchange, just not sure where.
Instead of doing a header redirect, add proper headers and include the audio file in your PHP code. Then, in your .htaccess file, you can disallow access to the directory where your audio files live.
If you are using amazon s3 service you can use signed url for your files. It will be more safe as you have to be signed user and also url can be expired. Read this.
No. This is not possible since it is the browser that interprets the HTML to make the page work properly. So if the client (browser) does not know where the mp3 is coming from then it will not be there to use.
On the other hand if you want to have the music switch songs by clicking a link then i suggest you look into some tools like http://jplayer.org/
EDIT: The only way to probably prevent direct access to the file itself would be to read the file in instead of linking to it from the script. For instance on my image hosting site http://www.tinyuploads.com/images/CVN5Qm.jpg and if you were to look at the actual file path on my server, the file CVN5Qm.jpg is out of view from the public_html folder. There is no way to directly access the file. I use databases to take the image id, look up where it is stored, and then readfile() it into the script and display the proper headers to output the image.
Hope this helps
I use http_referer and I can controll the procedence of the link
<?php
// key.php
// call with: http://yoururl.com/path/key.php?id=1
$page_refer=$_SERVER['HTTP_REFERER'];
if ($page_refer=="http://www.yourdomine.com/path/page.html")
{
$id = (isset($_GET["id"])) ? strval($_GET["id"]) : "1";
// lookup
$url[1] = 'link1.mp3';
$url[2] = 'link2.mp3';
header("Location: $url[$id]");
exit;
}
else
{
exit;
}
?>
I'm working on a major Flash project that is going to be the core content of a site.
As most of you well know, almost any site can be entirely copied by copying the cached files and the hierarchy (files and folders structure), and it would run without problems on an Apache server with PHP enabled, if used.
What I would like to know is: How to bind SWF files to run on a specific host?
The SWFs will be encrypted, so outsiders won't have access to the methods used to stop the SWF from running on a different host, question is: what method to use?
I think the solution could be hardcoding the host IP inside the SWF, so if the SWF is looking for 123.123.123.123, only a host with that IP would allow the SWF to run further.
The issue is that AS3 alone can't discover the host IP or could it if it's trying to load a resource file? Anyway, that's why I need your help.
EDIT: Ok, seems someone asked for something similar earlier: Can you secure your swf so it checks if it is running on a recognized environment?
I'll try that and see how it works, but the question is still open in case anyone has different suggestions.
I use this method to determine if I am on dev or production in my config files.
var lc:LocalConnection = new LocalConnection();
switch ( lc.domain ){
case "myDomain.com":
case "":// local file reference for dev
case "localhost":// local file reference for dev
case "dev.mydomain.com":// local file reference for dev
break;
default:
// unknown domain do crash the app here
}
One method you could try is a php script that the swf sends a request to and must receive a correct reply from before it continues to operate. Since people can't get at your server-side php, they can't get the needed code to simulate that reply.
The SWFs will be encrypted, so outsiders won't have access to the methods used to stop the SWF from running on a different host
Since the file will run on a client computer (and thus they key would have to be stored in an accessible way), this isn't really that much of a protection.
The best way would probably be to have part of the SWF-logic on the server, and not give access to that part from third party hosts (by using the crossdomain file).
Look into the idea of wrapping main inside a type of preloader, and putting main into a secure dir on the server. I cant remember how this gets around the cache problem, but it had to do with how the wrapper loads main.
Something like this:
// preloader.as (embedded in fla)
var imageLoader:Loader;
function randomNumber(low:Number=NaN, high:Number=NaN):Number
{
var low:Number = low;
var high:Number = high;
if(isNaN(low))
{
throw new Error("low must be defined");
}
if(isNaN(high))
{
throw new Error("high must be defined");
}
return Math.round(Math.random() * (high - low)) + low;
}
function loadImage(url:String):void {
imageArea.visible=false;
preloader.visible = true;
// Set properties on my Loader object
imageLoader = new Loader();
imageLoader.load(new URLRequest(url));
imageLoader.contentLoaderInfo.addEventListener(ProgressEvent.PROGRESS, imageLoading);
imageLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, imageLoaded);
imageArea.addChild(imageLoader);
}
// DOIT!
loadImage("main.sw?"+randomNumber(1000,10000)); //NOT A TYPO!
//loadImage("main.swf"+randomNumber(1000,10000);
function imageLoaded(e:Event):void {
// Hide Preloader
preloader.visible = false;
}
function imageLoading(e:ProgressEvent):void {
// Get current download progress
var loaded:Number = e.bytesLoaded / e.bytesTotal;
// Send progress info to "preloader" movie clip
preloader.SetProgress(loaded);
}
/// this is main.sw //NOT A TYPO
<?php
// Tried this - abandoned
// session_start();
//
// if(isset($_SESSION["flash"])) {
// $referrer = $_SERVER["HTTP_REFERER"];
// $referrer = parse_url($referrer);
// if($referrer["host"] != $_SESSION["flash"]) {
// echo "Permission denied.";
// exit();
// }
// } else {
// echo "Permission denied.";
// exit();
// }
//
// unset($_SESSION["flash"]);
header("Content-type: application/x-shockwave-flash");
readfile("/secure/main.swf");
?>
// main.as
public function onCreationComplete(event:Event):void{
Security.allowDomain( "*" );
Security.loadPolicyFile( "crossdomain.xml" );
}
// crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
That should get you started. The idea here was to prevent anyone from getting main on their machine- I am not sure if it worked.
You may have a server-side page generate a key using a date-based algorithm which is passed via flash var to your swf. This way a "copied" key won't work because by that time, the valid date will have passed. From what I understand, this would essentially be like using an RSA token.
Aside from this, any security you have will also need code to be inside your SWF to validate your token. The problem here is that SWFs are known to decompile quite easily. Meaning that your code isn't safe :( You could obfuscate your AS3 in hopes to confuse any "hackers".
All in all, I've never attempted anything like this, so let us know how it goes!
I have a small problem, I want to load data from a PHP file and put them on a DIV.
Here's the Jquery code
// Store the username in a variable
var jq_username = $("#txt_checkuser").val();
// Prepare the link variable
var link = 'user.php?action=check&username=' + jq_username;
$('div #checkuser_hint').load(link);
So it works! but instead of loading the result (compiled PHP) it loads the PHP code.
If I write the long URL "http://localhost/project..." it doesn't load anything!
Any idea how to do that?
I think you might be accessing your javascript file as a file on your local filesystem, a request to the same directory would go through the filesystem and not through your webserver, processing the PHP into the desired output. This also explains why http://localhost/project for the AJAX call doesn't work: Javascript might be enforcing the same-origin policy on you.
Verify that you're actually accessing this javascript file through http://localhost/ (as opposed to something like file://C:/My PHP Files/ ).
Does the page return anything when you use your browser?
Are you sure it should not be 'div#checkuser_hint' instead of 'div #checkuser_hint' ?
And this looks like the correct way according to the documentation.
var link = 'user.php';
$('div#checkuser_hint').load(link, {'action':'check', 'username':jq_username});
Are you able to access the script manually on your own? (try accessing it via your browser: htp://localhost/...) It may be the case that you're missing your opening <?php and/or closing ?> in the script-file itself.