truefusion

How do you know all of these security flaws????

One way to become aware of them is by looking at the changelogs of popular scripts. Another way is by searching for websites made specifically for best practices and vulnerabilities. The PHP manual also has a section on security. You can find other sources here.

My background gradient is 1920 px wide.

I see. Well, should i assume the height of it is around at most 20px and that the background loops on the y axis? Otherwise, that would be not only a lot of loading time, but perhaps even a lot of RAM being used on the client side.

Is the font good by the way?

See how this color looks like for the text in the context area that's in the border: #202F32. For the active tab text color, make it darker instead of the grey that it currently has, it seems to be colliding with the background color.

---

The layout looks better than its previous state. I still think, though, that the blue, that is, _____, of the 3D object is colliding with the background color.

By the way, what program did you use to make the 3D object?

Line 5 would be:

$from = $_POST['Email');

Needs to be replaced with:

$from = $_POST['Email'];

That should fix the syntax error.

You said you pretty much copied code from a YouTube video, so it's not really your fault on why it contains security issues.

I don't see meditation as placing trust in a metaphysical thing, I see it as a skill like swimming or riding a bike, a way to mentally disciplin myself into gaining greater focus and control over my body and mind.

Meditation concerns the conscious, the conscious is metaphysical, therefore meditation is metaphysical. You place your trust in it by believing that such a "process" or, as you put it, "skill" ("skill" implies something that needs to be obtained as if you don't already have it) will actually help you control yourself, which by stating "help control myself" implies, again, that meditation is separate of yourself.

But to ask me to believe that a greater force is preventing me from obtaining peace is (to me, i'm not trying to be rude) absurd. It is MY life, and even if an individuals context is myriad, success or failiure is part chance and part that individuals choices. Statistically you can fail a coin toss ten times in a row, such is life, it doesn't mean that a metaphysical being is manipulating the results of that coin toss. Similarly just because you have failed so far does not necessarily mean you will fail the next time, unless of course you are doing something drastically wrong and you don't see it.

It is your life; however, i don't believe you would disagree with me when i say that if you were to attempt to unjustly cause harm to another conscious being, that you should be allowed to do so. Therefore, though being your life, limitations are to be enforced for the safety of others—whether you want there to be limitations or not. Also, concerning the coin toss: although it does not necessarily mean that there is a (conscious) force deciding on what side the coin lands, it also doesn't mean that there isn't one.

... and much as I hate to stick my neck out humans are living on the tiniest speck of a speck of a speck, to believe that we are important to anyone anywhere but ourselves except MAYBE as some kind of potential force of change in millions of years seems to me to be... Well, very human of us.

That doesn't mean there isn't one.

We are not living on instinct backed up by hundreds of generations anymore, we are living on conscious thought backed up on the thoughts and actions of ourselves and others. We are almost entirely culture. Although, I suspect a perfect creature to deal with the modern world would seem as insubstantial to us as a story on the cover of the Morning Sun.

I don't see any difference between "instincts" and "conscious thoughts and actions," as instinct is within itself a conscious thought that normally brings forth action. We have the ability to control instincts. Instincts, as i see it, is for one just a "constant reminder" of perhaps what needs to be done. For example, seeking for food, mating, to seek life, etc. It is also a thought process that occurs almost instantly but with undesirable consequences, like cursing in anger—the words are ready to be used. This is no different to what is already occurring.

For absolutely everyone (from monks to the biggest most materialistic bully you know) to stop living the way we are now would require the next generation to essentially grow up in the literal ruins of this one. And not only that, it would require the new generation to not be curious, to not want to create physical things to improve quality of life, to not (by the definition of humans as having imagination) be human.

It can happen in this generation too, and without requiring to stop being human. For even if we stopped being human, it does not follow that anything foolish we commit will end. Otherwise, we would be able to say of such about the rest of the animal kingdom. However, if the majority is the majority, then it would require a force larger than the majority to bring about a change.

Desires are driving forces in the world. Would you tell someone you loved them if you did not desire them? In the same way would you attempt to get a promotion if you did not desire that which came with it?

All of which deal with faith, love and hope. Likewise, if the person that you expressed your love to turns you down, those three things (i.e. faith, love and hope) would all collapse. And it can be said it was due to placing those three things upon something that fails or can fail. However, thanks to the way humans are, i can very much answer all these questions with a yes. Why? Because people like to joke around.

Would you place your trust in a metaphysical being if you did not desire the feeling of security that came with it?

I popped this one out of its context as it appears that "you" is no longer plural (though i could be wrong). To address the rhetorical question, i did not come into my faith because i sought security, i came to believe because i sought answers and found them. So it is very possible to trust in a metaphysical (supreme) being without desiring the feeling of security. If there is any feeling of security, it would be a side effect, mostly due to accepting the metaphysical being's existence because of logic and reasoning.

Why not just use the one that comes with Vista? You haven't complained about it in this topic (yet), so i would suspect it to work to some extent. I'm not sure what rating i'd give Vista's Firewall, though. Maybe a 5 out of 10, though i've never owned Vista; i've used Vista on a laptop once, but would never want it on my computer.

I really took time to do this and I would like to know how it turned up.Tell me your opinions, it still needs a bit fine-tuning but I think it looks pleasant to the eye unless you're allergic to blue

Looks a lot better, especially the glossed tabs. The tabs remind me of the Murrine GTK theme engine. For the black drop shadow on the sides, changing the layer blending to Overlay may make it look better. And i don't know why, but the text in the context area (i.e. the text within the blue border) seems like it would be better if another font was used; everywhere else appears fine. Perhaps the blue border surrounding the paragraph would look better if it had the background color of (i suppose i would call it) the "body area," that is, #6FCAED. And for the active tab, the blue tip, perhaps blend it to Overlay (i.e. if it's on its own layer).

As a side note, since it can be quite annoying to attempt to match all screen resolutions with certain gradient backgrounds, since the image doesn't reach 1600px in width, and since some GFX cards are going beyond that width, with the current gradient background you have, the only way i see that you can satisfy all screen resolutions is to align the background all the way to the left or right edge. You pick the edge, and on the opposite edge you pick the color of the very last pixel at that edge and place it as the background for the page. That way it'll seem like it continues and not get cut off by white space.

Thats just it though, Would be a lot easier just to have a network of people not a bot doing this. yea you could do it as a plug in, and just go into one room. But pretend you have a tornado warning for say New York State. There a lot of rooms there. I feel as it would be better to have real a real person doing this not some bot or plug in, for the simple fact a real person can update a little faster than a plug in bot.

There's already a network of people: the weather station. Yes, this is not what you meant, but i'm trying to lead to a point. The main reason why people know of a tornado warning is not (necessarily) due to people looking out their windows, it's due to the technology, the radars, etc, that the weather stations use to notice patterns and circulations on levels that cannot be observed through the human eye. However, since you've given the impression that you are more knowledgeable in the area of weather, you'll have to correct me on any information i am putting out here. But since it is these networks (of which some networks seek other organizations for verification or justification) that take the time to form a conclusion and then take more time just to get it out to the public, the same time, i believe, is taken on getting the same information out to the internet, since they are a network. Otherwise, if it takes longer to produce the same information on the internet, it may be pointless to do so if by the time they release the information the warning is already no longer in effect. I know of an open-source weather protocol that i can install here in Linux which is available in Ubuntu's repository (though i forgot the name of it) which i've used before, and they release warnings and other similar information. A bot could be made using that service.

I think the answer here is... Yourself.Think about it, if you can go into a downward spiral because of your own mind, then the reverse is true.
Positive mental habits are a good start, personally I am thinking about exploring meditation to try and have more control over myself.
This is probably because I am a athiest/skeptic by nature, but I don't believe in a higher power that cares in me particularly.
But I trust myself to provide the drive to get out of any situation, and if I don't, I probably don't deserve to get out of that situation!

Requesting that i think about a matter you might find to be undesirable. For one, what you think to be the answer contradicts what follows. By seeking meditation, it is not you who tries (emphasis on "tries") to control you, it is the meditation. This goes against your skepticism except if you already tried meditation; however, it is obvious you haven't, since you are thinking about exploring meditation. It also somewhat goes against your atheism, since you are placing your trust and faith in a metaphysical thing. Then we're to the part where you apparently don't deserve relief from a situation, as it implies a (metaphysical) force that is greater than you that is preventing you from obtaining peace.

But to put things back into context from my original statement, the problem was due to placing trust in things that fail or have the ability to fail. I do not believe that anyone one in the current population is capable of representing themselves well. The argument is often given that we are not perfect beings—however, that's my point. That mere fact should be more than the deciding factor on what to place your trust in. Logic will always argue for both sides of a matter, therefore decision making is most often faith-based. When experience enters into the picture, logic kicks in more than faith, especially if the experience concerned something that failed. I don't think the majority of the people on earth is going to deny that there is more trouble in the world than peace. Interestingly enough, this trouble is due to materialism, the love for physical things, usually always involving money (whether they have it or not).

And now we're back to placing trust in physical things, which i've already discussed in my previous post.

So your problems are with motivation/organisation/job and life skills?Believe me, there are faar worse problems to have.
Where would you like to start solving them?

(I believe it's obvious to some extent that "you" here is plural.) The question (i.e. the second one in the quote) is an interesting one as it merely asks about desires, not providing a solution to any situation. Depending on the situation, asking the question may provoke (further) depression or wishful thinking. However, wishful thinking implies that hope is involved. Here's the thing about hope: it's tied together with love and faith. If one of them fails, it takes down the others. When in such a state, the person is most likely incapable of exiting the state without outside interference, therefore trusting anything you may find to be dangerous, as you've already placed trust in the very things that failed you. So the situation becomes somewhat circular, perhaps subconsciously asking, "What can i place my trust in?" Since this obviously implies uncertainty, the decision making process is disturbed. However, the key point that should be emphasized in troubling situations is: Trust in that which cannot fail.

PHP will make the learning process easier. It's an easy programming language to understand, mostly thanks to their well-written documentation. But being an interpreted language means it cannot do everything, since PHP is, i would say, a medium to high level programming language. I do not know how one participates in GSOC; however, the page implies that you have to be part of a mentoring organization—whatever that means. They said applications for 2009 will start being accepted today. According to the FAQs, it appears just about any group can be a mentoring organization.

Since you are pretty much just starting out in learning how to program (at least that is what i get from your post), it may be better for you to take part in perhaps the 2010th GSOC. Understanding a language and writing some code from the understanding can happen as quick as, i would say, 30 minutes. Of course, the program will be extremely simple, most likely a "Hello World!" program (which in PHP can take up no more than one line). Since you mention modules, that's more complex and requires understanding more than just the language itself, it requires understanding the structure and function of the script or program you're writing a module for. Such implies a (very) good understanding of the language itself.

What really concerns me is the security flaws now. How can hackers modify the php code if they do not have access to my host provider or server?

They don't need access to the server, you made their work easier by using _REQUEST instead of _POST. Why? Because all they need to do is look at the form's source code, look at the name of all the required fields and then just modify the URL of the script. _REQUEST covers both _POST and _GET. If you used only _POST instead of _REQUEST, that means they'd have to work harder by making their own HTML form. This is known as cross site scripting. This allows them to use TEXTAREA where INPUT fields are supposed to be, therefore allowing them to submit new lines—the very thing i said your script should look out for.

Where do you guys think I should harden the flaws at from where the code is at now?

Technically, you'll only need to filter out the fields that you eventually place in the header. In your case it would be the $from variable. I've already mentioned in a previous post what to look for and how to take care of it. However, the preg_match function uses regular expressions, so i'll provide the code on how it should look like:

if (preg_match("/(%0A|%0D|\n+|\r+)/i", $from)){	exit("Header injection detected.");}

I'ma assume you know where to place this.

I added stripslashes to the mentioned code and I'm still getting the / after apostrophes. Does my code look wrong still?

You didn't strip the slashes from the message, you only stripped some of the other fields; but place the following at the beginning of the script:

ini_set("magic_quotes_gpc", 0);

What I'm having a little hard of a time to understand is why you're stripping slashes when there isn't a moment where you put them on the variables.

It's called magic quotes. Really annoying to work with especially when working with MySQL. Thankfully they'll be completely gone by PHP 6. They're already marked as deprecated in PHP 5.3.

Should I remove those curly brackes and place some other character to close those arrays?

I guess if it works, then it's okay. I've just never seen that syntax in PHP before.

In regards to that security flaw you're talking about. How do I enhance that code so clients will not get spammed? I definitely don't want crackers or hackers spaming clients.

Header injection normally deals with the hacker or user inserting new lines in areas where they are not supposed to. Basically you are supposed to look out for the following characters: %0A, %0D, \n, and \r. If you find these, you should tell the script to exit. You can look for these characters using preg_match.

One more thing truefusion, do I put the Stripslashes command before the $name = $_REQUEST['Name'];?
Could you give me an example of how the Stripslash command would be written with this code?

$name = $_REQUEST['Name'];?

The quickest way would be to do:

$_REQUEST = array_map("stripslashes", $_REQUEST);

Otherwise you'd have to do

$name = stripslashes($_REQUEST['Name']);

for each relative field.

Thoughts?

He's actually going to be doing something?—need i say more? But seriously, the news concerning him has been pretty general, and there's been more speeches than acting from what i've seen. There's also been some flip-flopping concerning some things he promised. Concerning the economy, i know of the phrase, "You have to spend money to make money," but in a depression? If money leaves the country, then work is basically done in vain, because then we have to print more money to fill the gaps, which will just ruin the American dollar even more. I don't think voting for a "representative" is the best system. If it affects the people, the people should have a say in the matter, giving the matter to the people to vote on the actions that should be taken.

 

I've been seeing some of Obama's speeches on YouTube to see what kind of fallacies i can find (since i hear politicians tend to commit fallacies) and to see what was so great about his speeches. He did commit a lot of fallacies in his speeches, mostly appeal to emotion and false dilemma; begging the question and other fallacies were committed also, but those weren't so (")dangerous.(") I would have much rather preferred Ron Paul (after studying some of the candidates), but Obama's in power now, so there's not much to be done about it now. Regardless, i would have assumed it common sense not to spend when you are not capable of doing so.

I'm not entirely sure which part is coding and which part was made in the GIMP. However, i think the buttons and the 3D object should be centered to be in alignment with the content box (likewise perhaps the W3C icons). I think also rather than fading into that greenish color, it should fade out into a black color or darker blue color. The interesting part about it now, though, is that the reflection on the 3D object is pointing towards the bright side, as if the bright side is actually reflecting light on it, so replacing that greenish side with a dark color would ruin that effect. Regardless, the color for the 3D object needs to be changed to match the background color better, so when changing it, you can change the location of the light, making things work consistently there.Given the position of the buttons, it may be better if they imitate more of a tabbed look. I think also vector and grunge brushes would work well here, that is, after making the aforementioned modifications, like making them appear like they're coming out of the darkness, so to speak. Perhaps even some abstract brushes to go along with it. Then you can perhaps make the background of the context area more transparent, but to where the text is still visible. Also, i'm not sure if you're using actual text or if the text for the buttons was done in the GIMP, but if they were, you should consider a more stylish font. The typography of the layout could use some spicing up. Anyway, i don't having anything else to say.

Does anyone know where I would put in the Stripslashes command so I can see apostrophes instead of slashes?

It would go here:

$name = $_REQUEST['Name'];

and here (which is not found anywhere explicitly in your code; that is, only found in the foreach loop):

$_REQUEST['Message'];

Also, this part contains a security flaw:

$from = $_REQUEST['Email']; $headers = "From: $from";

You aren't filtering the _REQUEST['Email'] variable. This allows for header injection, which would allow anyone to use your script to spam random people.
Also, i've never seen curly brackets for accessing arrays before:

$fields{"Name"} = "Name"; $fields{"Company"} = "Company"; $fields{"Email"} = "Email"; $fields{"Phone"} = "Phone"; $fields{"Message"} = "Message";

This doesn't give you a syntax error?

Now for the advice on this matter. the main being would something like this be concidered Spam, or a Public Service?

Spam if irrelevant or if you've been misinformed concerning the area; public service for those without radios or television sets; however, i would suspect that if they can afford internet, they can afford a television set, even if it's a cheap one. If they're being distracted by the internet, i suppose bringing them back into reality would be a good thing.

 

Question 2 How would I go about getting others in this? I alone cane not cover all chat rooms. you can have more than one tornado warning in other states.

Coding a weather bot.

Coding a Yahoo Messenger weather plug-in, if there isn't one already (assuming Yahoo Messenger supports plug-ins). If Yahoo Messenger doesn't support it, request the developers for plug-ins support; that is, if they'll actually listen.

But you don't really need to cover all chat rooms.

 

And last would all this be worth all the trouble?

Up to you.

I can't remember, where did you need to write the domain of your website? I just logged in to my kontera account and I can't change domains or see the one I'm using? As I remember when I signed up, I didn't write anything? OR did I? IF I did then I can't remember what I wrote, but I signed up instantly..
Can anyone confirm that the domain needs to be written on sign up? or Where do you wrote it? :?

I noticed that too. It appears upon sign up that is the only way to add a site without having to contact Kontera. I don't remember typing in my website either, but i can't deny the fact that the sign up page has a field to add a site. As Pasten shows, adding more sites to one's account requires e-mailing Kontera, which implies the same act for wanting to remove sites, although there may not be an article on that in the Help section. But i'm not sure of the benefit of having to go through the hassle of adding more sites. At the same time, i haven't gone through their Help section and similar sections, so perhaps there is some benefit to it. But i wouldn't be inclined to say that not adding more sites would cause your account to be canceled, since the only current way of adding sites is by contacting Kontera.

Simple and elegant—pretty nice. Also, the emphasis on the word "free" was a good move. I don't have much to say about it except thumbs up.

You could probably pull something off with Alchemy. However, that implies knowing C or C++, which i don't think you know any, let alone would consider making a game completely from scratch like that. The other method of going about it may deal with Java, but Java has its own complexities. In either case, it would require a lot of bandwidth just to host the games. You would probably have to buy your own server to host it on.

I have a stupid question though. What do I put for the Site URL when signing up to earn money on Xisto? Is it Xisto.com? Or do I put my own personal site?
Also, has anyone made any money yet? What's the rate per click? Any catches? (The website looks very nice, but at the same time, I'm personally finding it hard to get any real hard facts about the program itself.)

You can put your site; i don't think it really matters what you put. I haven't made any money per se, but i'm near the minimum. There doesn't seem to be any catches; however, the IRS can take a piece out of your earnings if you are liable.

What do you mean by "white space"? A normal whitespace such as " " or some kind of vulnerability name that I don't know?

Trailing spaces, yes. In your strip_things function, you would include rtrim($string). Looking at changelogs helps in figuring out how to avoid SQL injections or other attempts to obtain administrative privileges.

I have been wondering for a while now, running a htmlspecialchars($string) and a mysql_real_escape_string($string) would take care of any kind of 'damage' intended when it's user input?

I did research once on the MySQLi extension for PHP, because i heard it automatically filters out the input. All i could find was that it just uses mysql_real_escape_string(). I still need to do more research on the subject, but if that is all MySQLi does, then i'm a bit amazed. It feels like there would be more.

Would that be it?

No, you should also filter out any white space. WordPress had a whitespace vulnerability once, if i remember correctly, where the exploiter could register themselves as an already existing user, even as users with administrative privileges. I heard MySQL in the background removes the white space itself. This may also imply that the way WordPress handled its logged-in users wasn't smart in its ways, as it implies that it retrieves the user's privileges based on the name of the user in a specific order, probably due to the fact that the developer thought multiple users with the same name cannot exist.
Either way, security is more than just filtering out input, especially if you're depending on another piece of software.

Looking forward to the April 9.04 release soon.

I won't even wait for it to be released in April, i'ma switch immediately after Alpha 6 comes out, which will be in about 6 days from today. Looking at the Jaunty packages in the libraries section, i can already see Qt 4.5. This will be quite helpful in expanding my programs.
Also, i hear they've increased performance again for Ubuntu concerning 9.04. When 8.10 was out, i was amazed by its performance, so i'm wondering what to expect from 9.04. Perhaps i could do some more tweaking to what it is being done to it already to increase performance, at least boot times, even further. I saw a YouTube video once showing Ubuntu boot up in about 10 secondsthat is, the system and the GNOME environment (they had enabled the auto-login feature for GDM). I was a bit skeptical concerning the video, as to me it looked like they just added a fast-forward effect, but in the description the comp specs had a processor that was overclocked to 3.7ghtz, so that would explain the speed. I think they also had disabled USplash.

Here's a snapshot of the current rough draft i'm working on. I have another design idea, but this design alone took hours just to design it in the GIMP, and it'll take more hours to code all of the pages, so if i were to make it, it would have to come later. I shrunk the image down just enough to see the site and so i won't have to waste any time putting a watermark on it. Concerning the logo of a lock (if you can see it), i have an idea that could be furthered with it. That is, the letter "a" in Xisto could take the shape of an opened lock. Once i'm done with this template and all the pages, i plan on making a tutorial on how i modeled the lock in Blender.

Topic is resolved.Please PM any moderator to continue this discussion. Until then, this topic is closed.