Spudinski

More examples: Gender (in SQL) UPDATE `users` SET `gender` = (SELECT IF(`gender` = 'Male', 'Female', 'Male') AS `tmp`) WHERE userid = %d   Name (in regexp, rewrite it yourself) /[a-z0-9]/i

lol much? Firefox's memory leaks are so bad the developers just turn a blind eye to it.

We often also just tell people, switch or upgrade your browser. But, that makes you(and used to make me) an arrogant fool. So if everybody who posted after the OP could please inform this whole community why you think it's crap, I'll remove you from my list of "idiots-who-know-nothing-but-acts-like-they-do". Back on topic.... I've experienced a lot of problems with IE before, even voodoo like text boxes shrinking and buttons floating around on the page... Most problems such as those are usually because the browser is running in compatibility mode, so I'd suggest confirming if that is turned off. IE >7 and especially IE9 has a bug committed to it's source that affected early builds, so an upgrade(still IE9 or new version) might suffice.

Apache takes time of `clock`, but normally Apache doesn't hold any time value.

But... I bet none of you knew this; SQL SELECT IFNULL(('12-04-2001' = '12/04/2001'), 'Nope', 'Yep'); PHP var_dump(('12-04-2001' === '12/04/2001'));

Not really. It's actually not all that easy to bypass a nationwide block.... Unless you base64/rot13 all the data you send and receive(including URLs), you're not going to accomplish anything. Also, you have to consider... An encrypted tunnel via a VPN or whatever, is your right to privacy. But, it's not your right to do so illegally. They will have the freedom to decipher/log any illegal requests. You have to also remember, SSH tunnels are fairly slow, well at least ones that would remotely allow illegal requests like this. And then, bit by bit they will shut down every gateway to that IP block. It's much like Google once was in China/Japan/Whatever, they flip a switch and bye-bye website. Anyway, I'm pretty sure they'll block off requests at data or network level... so good luck.

Happy birthday man...

Disregarding the fact that you dug up a year old post, let me say this. There's a lot more the core developers of PHP can do then sit around deprecating things they believe is insecure or "bad practice". For example, they could get around to designing a proper method of dealing with unicode characters, or even remove goto statements, which is very ineffective in a programming language such as PHP.

No. @Lith: HR is perfectly fine, it's much more efficient than an image. Also, a DIV box works equally well, though a HR is better.

http://modernizr.com/

@a_bertrand: How can the email address be fake? A valid(ated) email a prerequisite on PayPal... Anyhow, sorry to hear about the inconvenience.

I like my country, but if things work out for me in the future I'd most likely want to move to Sweden. Much like my country, just different people.

Well, yes... and no. I don't mind people helping, what I do mind is people posting unrelated content in this thread. The original modification has been updated for that bug mentioned over two years ago already, it is exclusively a client configuration error at this point.

Please note: THIS IS NOT A SUPPORT TOPIC. If you need support, create an additional thread. I will assist you there. mod2removeunrelatedposts.

Can everyone stop hacking PHP, please? :( Rather find out why contents are being sent before the header(s). By the looks of your script(s), I would suggest that it is a MySQL error or the mail function causing the errors. It's a simple fix either way.

How to safely pick up soap in a prison shower

Rule of thumb: don't put anything on the internet you wouldn't want on a postcard.   Damn You consented the moment you clicked the "Sign up to Facebook" button. Onto the pic... You really messed up with the following: Apple sure as hell won't send that. @Faz: Firstly, :P. Secondly, my respect for him floated away the moment I saw "Cheap Pentesting:cool:" in his signature. EDIT: That picture was his profile picture, which is always public on Facebook. I thought that if he's fine with his personal people seeing that pic, he'd be fine with everybody else seeing it too. Anyways, it perfectly legal to have posted it, even with MWG's rules. (And yes, I will be bitch about it if staff removes the picture)

I'd be more than happy to host something that he can pentest from outside. I will even dig in a few holes, just so you know you are actually looking for something. And I'll even list the flaws, just to see if you can replicate them. Deal? Probably not. See, even I am trying to help you prove yourself, we all are actually trying to. But, by now there's only one assumption to be made with regards to your co-operation... You actually don't know jack about anything. Like a client I once had - knows how to put fancy words together in order to sound smart, but after a few minutes speaking to them they are lost beyond belief. Actually, scrap that, you can't even use proper grammar or spelling. Come to think of it, I've never met an IS professional that can't spell. ---------------------------------------------------------------------- You know what, scratch everything. He is too stupid to use a screen name... and even has a public Facebook profile. -__- Say hello to Mr. Michael Evans: Ref: https://www.facebook.com/michael.evo1

Content types can be a nuisance on some hosts, especially shared ones. jQuery has been reported(and I've found) that requests will fail when a content-type is miss-validated by the server. But most of all, it's not very effective to serve files through a PHP script, for multiple security reasons. My suggestion is to know what you want to serve, and setup a isolated environment to do it. Much like a chroot jail for processes, one can do the same for a specific directory on the server. This is normally done by setting the permissions on a specific folder on the filesystem. Another approach I personally use, is to assume the file doesn't have a format. After that, if I want to work with images, I look for tell-tell signs of compression, something most image file formats have. Then, I grab the first 8 bits of a file, and make a guess as to what file it is. If it doesn't match a specific set of rules, I discard the file or replace the contents with a stream of /dev/zero to maintain validity on the system. For those of you that feel lost with regards to reading 8bits: Most file formats can be identified by looking at the first few characters within the file. Open up a .JPG file, and you should see "JFIF". Open up a .PNG file, and you should see "PNG". Open up a .BMP file, and you should see "BMP". It's also a very handy method for determining if a file is corrupted. There are other techniques to use, such as ImageMagick integrations, but let's not go into depth about them just yet.

There's actually a pretty damn good reason W3C validation does matter.... W3C sets forth a set of rules to follow when generating HTML content. Browsers are developed upon those rules, and attempts to display the content in a predetermined manner. Now, if you don't follow the rules, it's pretty certain that your page will not be handled the same by all browsers, and in affect to malformed pages. So ask yourself? Did you design the website to display differently in each browser, or the same in all? I'm fairly certain it's the latter. For more see http://www.purpleclaw.co.uk/blog-why-valid-code-matters.php.

I heard that one before...

It's possible to create a DoS detection script in PHP, but it's not ideal. But, if you want to block people forever, I'd suggest an iptables approach: rate limiting(--limit). Of course, this would require additional rules to be any kind of a decent method, and could get pretty complex. Or, fail2ban, a collection of scripts that scans the log files for malicious intent, and can be given patterns to match against this kind of thing as well.

Well, there's a guy that goes around each day giving out copies. He's dressed as a mail man, so when you see him, just ask him. It's like trying to spot Waldo, but meh.

If I can give you an awesome tip: Get an IDE. An IDE should show you exactly where the fault within the script it. Ps. Sublime Text ftw, and free, for now.

Yes, rulerofzu recently alerted me of this. I will find 'n suitable fix for this, since it is rather critical. But, everyone, for now, chmod your upload dir to 775(ugo+rw-x), or something similar. Ps. This isn't confirmed security hole, but plausible.