Grow your CSS skills. Land your dream job.

Chat room not working

  • # August 17, 2014 at 5:40 am

    I followed this tutorial http://css-tricks.com/jquery-php-chat/
    After reading it i downloaded the source code and put it up on http://myprojectwork.eu5.org/
    The chat room is not working as described.It does not show any message.
    Why is this happening?

    # August 18, 2014 at 9:34 am

    @chatroom There’s a significant security flaw within the code.

    # August 19, 2014 at 4:48 pm

    Hey chris thanks for the quick reply. I was first trying to get it working and then consider security. I have run into a problem that i can’t upload pictures, the pics get uploaded when i am using xampp. When i put the code on http://freewebhostingarea.com for testing nothing happens after uploading the pics. I am posting some code
    `

    if (isset($_FILES['image']['name']))
      {
        $saveto = "$user.jpg";
        move_uploaded_file($_FILES['image']['tmp_name'], $saveto);
        $typeok = TRUE;
      switch($_FILES['image']['type'])
    {
      case "image/gif":   $src = imagecreatefromgif($saveto); break;
      case "image/jpeg":  // Both regular and progressive jpegs
      case "image/pjpeg": $src = imagecreatefromjpeg($saveto); break;
      case "image/png":   $src = imagecreatefrompng($saveto); break;
      default:            $typeok = FALSE; break;
    }
    

    `

    # August 19, 2014 at 5:06 pm

    If you considered security, why are you using this? Anyway, are you getting an error?

    # August 19, 2014 at 5:25 pm

    I am getting no error. The file is just not uploaded. I have changed all permissions to 777 that does not help either.

    # August 19, 2014 at 6:07 pm

    Are you sure the errors are not logged?

    __
    # August 19, 2014 at 6:10 pm

    Let’s take a quick look at this:

    $saveto = "$user.jpg";
    

    Is the $user variable defined anywhere? If not, your “saveto” filename is just .jpg. Also, why are you labelling the file as a jpeg when you also accept gif and ong formats (and don’t yet know which was uploaded)?

    move_uploaded_file($_FILES['image']['tmp_name'], $saveto);
    

    You’re saving the uploaded file before you do any validation. Basically, nothing matters after this point, because you have already accepted the file.

    $typeok = TRUE;
    

    What’s the point of this?

    switch($_FILES['image']['type'])
    

    Remember, the “mime type is however not checked on the PHP side and therefore don’t take its value for granted.”

    $src = imagecreatefromgif($saveto);  // and fromjpg, frompng
    

    Are you using $src for some purpose later on? as mentioned above, if this is supposed to be a security check, it’s too late.

    default:            $typeok = FALSE;
    

    What’s the point of this?

    I am getting no error. The file is just not uploaded.

    → Are you sure you’re not getting an error? you’ve made sure that error reporting is enabled? you’ve checked your error logs and made sure there were no error messages output to your page source?

    → You’re sure the file is not uploaded? how did you check? Keep in mind that, if your $saveto begins with a dot, the filesystem will consider it “hidden” and not display it by default.

    tl;dr: This should not be on your server. It is an open door for someone to take over.

    I am also not sure if this is the same problem you originally posted about. (It would seem not.) If you’re interested in uploading files, you should do some research, start over, and then ask any specific questions.

    If you’re still asking about the chat server, “there are security problems” is not an idle comment. It means, “DO NOT USE THIS.” If you want to make your own, my advice is to start without ajax (so it works via normal form submissions), and then add ajax to it once you get things figured out.

    # August 19, 2014 at 6:15 pm

    I would also add that generally when you’re aware of vulnerable code, especially when someone tells you it’s a security risk, your users won’t be too happy if their data could potentially be exposed (password, private messages).

    # August 19, 2014 at 6:46 pm

    Its working now. I have created two accounts there. Harish and Nitish. There was a third one named test.One of you guys created that i suppose.Thanks for being so helpful.
    @__ $user is set to username. for ex. harish.jpg etc. Also $typeok is set to true but then i check in switch statements if the file is in permitted formats if not i set $typeok to false. I don’t understand why is it too late. Where should i put it then?

    @chrisburton How are the passwords, private messages exposed.I don’t understand that.Could you please explain how could someone access password etc. Thanx for being patient.

    # August 19, 2014 at 7:22 pm

    Look at the CSS-Tricks link you posted and then click on the updated version and read.

    Also, this shouldn’t happen when users don’t exist.

    __
    # August 19, 2014 at 7:35 pm

    $typeok is set to true but then i check in switch statements if the file is in permitted formats if not i set $typeok to false.

    This is not actually what is happening. Depending on what the user claims the file type is (not the same as what the file type really is), you either set a variable named $src or change $typeok to false. Neither action seems to have any purpose (unless you make some use of them later).

    I don’t understand why is it too late. Where should i put it then?

    It is “too late” because you have already saved the uploaded file. (So, really, why bother checking at all?) If you do check the file type (which, as described above, you are not effectively doing now), you would need to do so before saving the uploaded file.

    # August 19, 2014 at 7:40 pm

    How did you do it!?
    traq does not exist.How can i fix it?

    EDIT: Ok, i got it you changed the link to view=traq;

    Any way to avoid it?

    # August 19, 2014 at 7:50 pm

    I can also add people to my friends page that don’t exist. Point: check if people exist, don’t allow people to add things to the page.

    It appears you are filtering XSS attacks for your form so that’s good. Although your URL parameters would make me nervous.

    # August 19, 2014 at 7:51 pm
    $saveto = "$user.jpg";
        move_uploaded_file($_FILES['image']['tmp_name'],"/home/vhosts/myprojectwork.eu5.org/uploads/".$saveto);
        $typeok = TRUE;
    
        switch($_FILES['image']['type'])
        {
          case "image/gif":   $src = imagecreatefromgif($saveto); break;
          case "image/jpeg":  // Both regular and progressive jpegs
          case "image/pjpeg": $src = imagecreatefromjpeg($saveto); break;
          case "image/png":   $src = imagecreatefrompng($saveto); break;
          default:            $typeok = FALSE; break;
        }
    
        if ($typeok)
        {
          list($w, $h) = getimagesize($saveto);
    
          $max = 100;
          $tw  = $w;
          $th  = $h;
    
          if ($w > $h && $max < $w)
          {
            $th = $max / $w * $h;
            $tw = $max;
          }
          elseif ($h > $w && $max < $h)
          {
            $tw = $max / $h * $w;
            $th = $max;
          }
          elseif ($max < $w)
          {
            $tw = $th = $max;
          }
    
          $tmp = imagecreatetruecolor($tw, $th);
          imagecopyresampled($tmp, $src, 0, 0, 0, 0, $tw, $th, $w, $h);
          imageconvolution($tmp, array(array(-1, -1, -1),
            array(-1, 16, -1), array(-1, -1, -1)), 8, 0);
          imagejpeg($tmp, $saveto);
          imagedestroy($tmp);
          imagedestroy($src);
        }
        else
        {
        imagedestory($saveto);
        }

    Now i am deleting that file from my database if it is not what it is supposed to be. Is the file still a problem.

    # August 19, 2014 at 7:58 pm

    @chrisburton the url parameters have started making me nervous too :)
    Is there any site or link where i can read more about it and find my way around it? Thanks.

    Hey chris i was just curious but is css-tricks your site.

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".