Snipe.Net

Posts Tagged ‘mysql’


Posted on July 1, 2008 - by snipe

Identify and Fix SQL Injection Vulnerabilities in Web Applications

Identify and Fix SQL Injection Vulnerabilities in Web Applications

Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications, developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.

Scrawlr crawls a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities.

After the scanning process, if it can find vulnerabilities, it will display your database table names as a proof of the possible SQL injection vulnerabilities.

From the HP Scrawlr website:

Technical details for Scrawlr

  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives

Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool

  • Will only crawls up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

There are some limitations, as noted in the above bulleted list, however this is certainly a good start to help web developers find and correct vulnerabilities in their applications. Download Scrawlr now - Windows Only.


1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 4 out of 5)
Loading ... Loading ...

Posted on June 19, 2006 - by snipe

Creating a Multi-Level Listbox in PHP/mySQL

Creating a Multi-Level Listbox in PHP/mySQL

This lets you create a nested multi-level category menu through PHP and mySQL:

Database:
This code is assuming that you have a database table containing your menu options that looks something like this:

Table categories:
+--------+----------------------+-----------+
| id     | name                 | parent_id |
+--------+----------------------+-----------+
|      0 | Main Category 1      | 0         |
|      1 | Main category 2      | 0         |
|      2 | Subcategory 1        | 1         |
|      3 | Subcategory 2        | 1         |
|      4 | Main category 3      | 0         |
+--------+----------------------+-----------+

It is also assuming that the name of your listbox is “cat_id”. This is easily changed, mind you - you just have to change the select code down at the bottom and the “$categories = $_POST['cat_id'];” line to reflect whatever you’re naming it.

<?php

/* ———————————————- */
/* ———— BEGIN PHP SNIPPET —————-*/
/* ———————————————- */
// $current_cat_id: the current category id number
// $count: just a counter, call it as 0 in your function call and forget about it
/* GET THE DROP DOWN LIST OF CATEGORIES */

function get_cat_selectlist($current_cat_id, $count) {

static $option_results;
// if there is no current category id set, start off at the top level (zero)
if (!isset($current_cat_id)) {
$current_cat_id =0;
}
// increment the counter by 1
$count = $count+1;

// query the database for the sub-categories of whatever the parent category is
$sql = “SELECT id, name from categories where parent_id = ‘$current_cat_id’ “;
$sql .= “order by name asc”;

$get_options = mysql_query($sql);
$num_options = mysql_num_rows($get_options);

// our category is apparently valid, so go ahead…
if ($num_options > 0) {
while (list($cat_id, $cat_name) = mysql_fetch_row($get_options)) {
// if its not a top-level category, indent it to show that its a child category
if ($current_cat_id!=0) {
$indent_flag = “  ”;
for ($x=2; $x<=$count; $x++) {
$indent_flag .= “–> ”;
}
}
$cat_name = $indent_flag.$cat_name;
$option_results[$cat_id] = $cat_name;
// now call the function again, to recurse through the child categories
get_cat_selectlist($cat_id, $count );
}
}
return $option_results;
}
?>

You would call the function using something like this:
<select name=”cat_id”>
<option value=”">– Select — </option>

<?php
$get_options = get_cat_selectlist(0, 0);
if (count($get_options) > 0){
$categories = $_POST['cat_id'];
foreach ($get_options as $key => $value) {
$options .=“<option value=\”$key\”";

// show the selected items as selected in the listbox
if ($_POST['cat_id'] == “$key”) {
$options .=” selected=\”selected\”";
}
$options .=“>$value</option>\n”;
}
}
echo $options;
?> </select>


1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Posted on June 27, 2004 - by snipe

Dynamic thumbnailing with PHP and Imagemagick

Dynamic thumbnailing with PHP and Imagemagick

This code formatting is a little off, since the WYSIWG editor seems to have eaten part of it. Sorry.

<?php

/* ———————————————- */
/* ———— BEGIN PHP SNIPPET —————-*/
/* ———————————————- */
// specify your file details
$current_file = “image.jpg”;
$max_width = “150″;

// get the current info on the file
$current_size = getimagesize($current_file);
$current_img_width = $current_size[0];
$current_img_height = $current_size[1];
$image_base = explode(“.”, $current_file);

// this part gets the new thumbnail name
$image_basename = $image_base[0];
$image_ext = $image_base[1];
$thumb_name = $image_basename.“-th.”.$image_ext;

// determine if the image actually needs to be resized
// and if it does, get the new height for it
if ($current_img_width > $max_width) {
$too_big_diff_ratio = $current_img_width/$max_width;
$new_img_width = $max_width;
$new_img_height = round($current_img_height/$too_big_diff_ratio);

// presto chango alacazam
$make_magick = system(“convert -geometry $new_img_width x $new_img_height $current_file $thumb_name”, $retval);

// let us know if it worked or not
if (!($retval)) {
echo “Thumbnail created  -”.$thumb_name;
} else {
echo “Oops - no dice! Script failed cuz your momma doesn’t love you.”;
}
} else {
echo “No need to resize! You’re perfect just the way you are.”;
}

?>


1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5 out of 5)
Loading ... Loading ...

Posted on June 27, 2002 - by snipe

Google Style Page Numbering (with x per page and y page numbers displayed)

Google Style Page Numbering (with x per page and y page numbers displayed)

With just a few modifications, we can create a piece of code that will not only give you x results per page with page numbers, but it will also allow you to specify how many page numbers should appear on the page at any time, much like Google.  (For example, if you have hundreds of page numbers, this would look messy and cluttered - using this code, you can tell it to only display 5 page numbers per page.)

<?php
/* SNIPE.NET PAGE NUMBERING SNIPPET
Description: This code will allow you to provide item listings
as x per page, and will generate the Pages: 1 2 3, etc links
if needed. You will need to modify the queries as per your
own actual needs, and the database connection/selection code is
not included here, so it’s assuming that code is already somewhere else
in your page. (Thats why this code snippet page will give you an error
if it executes - no database info.)

Don’t get freaked out by how long it is - 70% of it is comments to
help you understand what it is that we’re doing. :) */

/* BEGIN CODE SECTION */
/* —————————————-*/

/* per page limit - this can be included in a seperate file, as long as you
are sure to include that fle on the page you want the numbering on - otherwise
its fine to just code it here - for this example, we’re using 16 items per page */
$user_view_limit = “16″;

/* set this variable to whatever the max number of page numbers you wish to be
displayed at any given time */
$max_pages_to_show = 5;

/* if there is no page # passed, assign $page the value of 1 */
if ((empty($page)) || ($page <= 0)){
$page = 1;
}

/* this code just figures out the limit for the sql statement that actually
gets that page’s item data */
$limitvalue = $page*$user_view_limit-($user_view_limit);

/* the query to get actual results - your query would go here, but be sure to
include the LIMIT $limitvalue, $user_view_limit part at the end.
Our example is pulling articles from the “articles” table that have the category ID of 2 */
$sql = “select Title from articles where CatID=2 LIMIT $limitvalue, $user_view_limit”;

/* the query to get the total number without the limit */
$sqlcount = “select count(*) from articles where CatID=2 “;

/* this is used by the function in case you need to pass other stuff in your
query string. If you’re not passing anything else, this should be set to just “?”
as is shown in this example -
To pass more variables through the query string, you would just change it to
something like: $print_query =”?cat_id=$cat_id&”; */
$print_query =“?”;

/* get the total number data and find out what the grand total is */
$sql_countresult = mysql_query($sqlcount);
list($totalrows) = mysql_fetch_row($sql_countresult);

/* get the actual item data and print it out on the page */
if ($get_items = mysql_query($sql)) {
$num_items = mysql_num_rows($get_items);

/* see if we actually have any matches in the DB */
if ($num_items > 0) {

/* if theres more than one page needed, print out the page #s
In this example, products.php is the page that the link will be printed out with.
To use a different page, simply change this value in your function call */
if ($user_view_limit < $totalrows) {
make_user_page_nums($totalrows, $print_query, $_SERVER['PHP_SELF'], $user_view_limit, $page, $max_pages_to_show);
}

/* print out the actual item details - you would cange this code to
make it print out the fields and data the way you want it to appear
on the page */
while (list($foo) = mysql_fetch_row($get_items) ) {
echo
;
echo $foo;

}

/* if there are no matches, print our an error */
} else {
echo “No items listed”;
}

/* if the query failed, lets see if mysql returns an error */
} else {
echo “An error has occurred:
;
echo mysql_error();
}

/* THE ACTUAL make_user_page_nums FUNCTION */
/* —————————————-*/

function make_user_page_nums($total_results, $print_query, $page_name, $results_per_page, $page, $max_pages_to_show) {

echo “Pages: “;

/* PREV LINK: print a Prev link, if the page number is not 1 */
if($page != 1) {
$pageprev = $page - 1;
echo “.$page_name.$print_query.”page=“.$pageprev.”"><Prev “;
}

/* get the total number of pages that are needed */

$showpages = round($max_pages_to_show/2);
$numofpages = $total_results/$results_per_page;

if ($numofpages > $showpages ) {
$startpage = $page - $showpages ;
} else {
$startpage = 0;
}

if ($startpage < 0){
$startpage = 0;
}

if ($numofpages > $showpages ) {
$endpage = $page + $showpages;
} else {
$endpage = $showpages;
}

if ($endpage > $numofpages){
$endpage = $numofpages;
}

/* loop through the page numbers and print them out */
for($i = $startpage; $i < $endpage; $i++) {

/* if the page number in the loop is not the same as the page were on, make it a link */
$real_page = $i + 1;
if ($real_page!=$page){
echo ” .$page_name.$print_query.”page=“.$real_page.”">”.$real_page.” “;

/* otherwise, if the loop page number is the same as the page were on, do not make it a link, but rather just print it out */
} else {
echo “”.$real_page.“”;
}
}

/* NEXT LINK -If the totalrows - $results_per_page * $page is > 0 (meaning there is a remainder), print the Next button. */
if(($total_results-($results_per_page*$page)) > 0){
$pagenext = $page + 1;
echo ” .$page_name.$print_query.”page=“.$pagenext.”">Next > “;
}

}

/* END OF PAGE NUMBERING SNIPPET CODE */
/* —————————————-*/

?>


1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Posted on June 27, 2002 - by snipe

Page Numbering (with x results per page)

Page Numbering (with x results per page)