jfkafka
-
Posts
161 -
Joined
-
Last visited
Posts posted by jfkafka
-
-
follow-up:
status: resolved
solution: added rotator to header.php and removed conflicting mootools slideshow
benefit: yours is superior having (cept for thumbnails) all mootools functionality plus click feature
quite a spectacular enhancement
Thanks,
jk
-
Thanks for the swift reply. I checked out the page, thanks,
and understand the concept, it's that danged execution
that's bedeviling me. Did get it to work on another page (very impressive!)
so it seems like the place to concentrate is index.php
(I was kinda bouncing in and out of modules/ and functions/ too
trying to "crack the combination" or "get lucky")
Well, I'll follow up when I stumble on the solution,
it's definitely worth the effort,
Thanks again,
jk
-
Hi kymation,
Hope all is excellent with you and thanks for the snazzy mod
Re Post #11
Problem completely solved with:
jQuery.noConflict();
Having similar symptoms - seeing dots (well, one large black one)
Not sure how to implement the cure (jQuery.noConflict();)
This didn't work:
<?php // Start Banner Rotator 1.2.1 20100628 Kymation 7641 ?>
<script type="text/javascript" src="includes/functions/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="includes/functions/bannerRotator.js"></script>
<script type="text/javascript">
jQuery.noConflict();
$(document).ready(function(){
bannerRotator('#bannerRotator', 500, 1000);
});
</script>
<?php // End Banner Rotator 1.2.1 20100628 Kymation 7641 ?>
Tried several variations, including: (in index.php)
var $j = jQuery.noConflict();
// Use jQuery via $j(...)
$j(document).ready(function(){
bannerRotator('#bannerRotator', 500, 1000);
});
along with renaming all the $( instances in bannerRotator.js to $j(
(yes, the desperation is running thick and heavy)
This caused the page to stop loading and no dot
(with both the original bannerRotator.js $( and the modified $j( version)
There are 3 banners in the rotator group and I put breakpoints in the function/banners.php
to make sure the queries are populated, (which the black dot might be confirming?)
Could you please elaborate on how to use: jQuery.noConflict();
Thanks for your insight (and mercy)
jk
-
Hi Robert,
Happy Holidays.
I see we've both been busy updating your esteemed contributions, thanks for all.
have 3 questions (PRO_r197)
re: public_html/includes/modules/ultimate_seo_urls5/database_install/ installer_class.php
1. Should that be deleted after completing installation? (I hope this question doesn't cause chortling)
re: (from Upgrade from Ultimate Seo Urls 5 by FWR Media)
2) Uploads directory
Upload the files and directories in the "uploads" directory to your server maintaining the directory structure of osCommerce.
Please note that "catalog" refers to the root of your osCommerce install and probably won't actually exist.
Important: now ensure that the following two directories are writable. Dependent on your server this may be 0755 or 0777.
* catalog/includes/ultimate_seo_urls5/cache_system/cache/
* catalog/includes/ultimate_seo_urls5/cache_system/sqlite/
2. That should be:
* catalog/includes/modules/ultimate_seo_urls5/cache_system/cache/
* catalog/includes/modules/ultimate_seo_urls5/cache_system/sqlite/
Correct?
Updated page_modules.php (Randy's bug)
Another change was recently discussed (.htaccess)
# 500 RewriteRule ^([a-z0-9-/]+).html$ product_info.php [NC,L,QSA]
# Works RewriteRule ^([a-z0-9/-]+).html$ product_info.php [NC,L,QSA]
Either way, received no errors (localhost, xxamp, php5.3)
3. Was that change global/generic or specific to a certain situation?
Thanks for your illumination,
jk
-
The problem is that adding specific file extensions to a banned list is a blacklist approach.
Blacklist approaches rarely work when trying to stop hackers and the huge range of hacking vectors.
Some examples of php extensions are .php3, .php4, .php5 etc etc.
But turning the engine off PHP simply doesn't work in that directory regardless of the file extension.
My view with writeable directories ( especially on shared servers ) is ..
Do I intend to parse files in this directory via PHP?
Answer no .. Turn the engine off.
I'm immensely grateful for your considerate and thoughtful explanation.
At the same time, I'm reminded of that line from an old western
where one cowboy turns to the other and drawls,
"You know, Clem, you're like an owl,
the more light is shined on something, the less you see".
(In this scene, I'm Clem)
For the sake of expedience and distillation,
Here is how I "see" it:
Multi-Phase Objective:
Allow the site to be toured, while monitoring/restricting access to sensitive areas/preventing vandalism/discouraging theft, bugging, redirection, offensive conduct, in general, behaving in any manner deemed dishonorable/unethical/low down varmints
htaccess Strategy: in writable directories
Install htaccess 403 Forbidden (a No Trespassing sign?)
that must be fortified with two additional supplements
to wit, your inclusion of additional code in the htaccess:
1. php_flag engine off
2. <Files ~ "\.(php*|s?p?html|cgi|pl|ini)$">
deny from all
</Files>
So now, I'm drawing the conclusion that somehow,
like a No Trespassing sign,
403 Forbidden alone is insufficient to deter the determined
OK, maybe I shouldn't underestimate the resourcefulness of
those hellbent on havoc and further buttress the writable directories by
disabling the php engine:
php_flag engine off
as well as, making certain file extensions inaccessible/tamperproof:
<Files ~ "\.(php*|s?p?html|cgi|pl|ini)$">
This seems like not only do we turn the php engine off,
we also "unplug" php*|s from the receptacle, so to speak
Am I on the right track with this synopsis of the htaccess's additional dual purpose?
Then, in a desperate googling effort to find some answers on my own, I came across this,
"Note that when PHP is disabled then the end user will get the source code of the PHP script in their browser."
Which strikes me as being analogous to protecting the secret of how to make a bomb
by putting it on public display behind bulletproof glass (or am I just being shy)
Suddenly, I realize it's disrespectful and lazy of me to keep bothering you
when I should be familiarizing myself
with the information you've already painstakingly provided,
except for one last question,
How would someone add you to their Christmas List?
jk
-
Well if PHP is built as a CGI rather than a CLI program then those rules will exclude the execution of files with those extensions.
Turning the PHP engine off and excluding files with a .php extension however are different.
Check with your hosts but I thought you could just include
engine = off
In a php.ini file if running as a CGI.
Thank you, Robert, for that thought provoking answer,
in fact,
I'm struggling diligently, translating it into my native language
(something called english)
to say your answer was a little over my head would be akin
to saying the ocean is slightly damp
and yet... I sense the urgent prudence of minimizing "exposure"
within writable directories as an integral part of any strategic defense,
to be candid, I was under the impression that 403 Forbidden was ample
to thwart any unwelcome stunts, that's where I'm stumbling,
Is turning the engine off because it's possible to penetrate beyond 403 Forbidden?
Sorry if this post appears to be anything but genuine admiration for your guidance.
jk
-
That's a good observation. I am far from an expert on this but regardless of the cause, I think excluding those directories is the way to go for those using PHPIDS. So far so good for me anyway.
Unless, of course, an if then conditional could be added for those two folders only
that ignored the comma, thus still providing notification of any other signs of
infiltration. Or maybe I'm just being overly cautious or is that naive?
jk
-
So busy reading the response, I failed
to notice the author, dunce that I am.
Thanks, altoid.
It is puzzling how those
.ser file values are changing when creating
a fresh reference file from an empty reference
file, and then immediately hitting
the 3rd button while on localhost.
Oh wait, those PHPIDS files have commas
in the file name and coincidently (in the case of one mismatch)
Currently set to "0" was set to "327"
the 327 happened to be the file size
so those mismatches might not be because of changing values,
so much as, site monitor readings being sidetracked by unexpected
punctuation.
And Jack mentioned those file names were invalid (comma-tose?)
so maybe, just maybe, this explains the anomaly.
Which in turn would certainly reduce my paranoia
about ghosts in the machine.
jk
-
No
ini_set('php_flag engine', 'off');
is rubbish.
in lieu of php_flag engine off
The hosting rep suggested using different command/s.:
"For example you can use a local .htaccess file with directives like the below ones:
# disable all CGI here
Options -ExecCGI
AddHandler text/html .php
AddHandler text/html .cgi
AddHandler text/html .pl
AddHandler text/html .htm
AddHandler text/html .html
AddHandler text/html .shtml
----- end quote -------
Hopefully that is a different route (from php_flag engine off) to the same destination.
Would you put a stamp of approval on that recommendation?
Thanks for your inimitable insight,
jk
-
hmmm apparently
ini_set('php_flag engine', 'off');
Is NOT a directive at all (according to the hosting rep)
so it probably makes both earlier questions moot
What he recommended was use different command/s.:
"For example you can use a local .htaccess file with directives like the below ones:
# disable all CGI here
Options -ExecCGI
AddHandler text/html .php
AddHandler text/html .cgi
AddHandler text/html .pl
AddHandler text/html .htm
AddHandler text/html .html
AddHandler text/html .shtml
----- end quote -------
Hopefully this is a different route (from php_flag engine off) to the same destination.
Thanks for bearing with me during this period of uncertainty,
jk
-
I am using PHPIDS and had a similar situation. See this thread in the PHPIDS forum, that should help explain.
Wow, you are just too incredible!
One last question
How do I add you to my Christmas List?
jk
-
It is a security measure, turning off the php engine in writeable directories stops php files from being executed.
What your host has done is say "lower your security" and haven't even bothered to warn you.
Thank you for pointing this out. I re-contacted them and they suggested putting a php.ini file into each writable directory.
So I put a php.ini:
ini_set('php_flag engine', 'off');
into the cache directory
Browsed to it and got the 403 Forbidden (which I also got without the php.ini)
just not certain:
1. ini_set('php_flag engine', 'off');
Is the correct directive?
2. Does it need to be turned back ON elsewhere?
Thanks for your expert assistance,
jk
-
That is an invalid filename. SiteMonitor can't handle invalid filenames.
Appreciate your blazing fast response.
well, that may explain the mismatches. Also noticed that ser file had all
the boxes checked for permissions and trying to set it to 644 was futile
(at least it was from ftp).
Any advice regarding ser files and permissions?
Thanks,
jk
-
The code ran when the third button is used is the same as for the first except the reference file isn't replaced and the output is displayed on the screen. If you click on the second update button is the email you receive clean of errors? If it is, I haven't a clue why the second would work and not the third. If it isn't, then it would seem your reference file is not being created correctly somehow.
Thanks for your response. Using localhost, unable to send emails at present, so used 3rd button for display. It seems there's something about those phpids/files that may explain the reset messages. I'm just unclear why on a fresh reference file there would be
anything to compare ie. Currently set to "0" was set to "327". I'm presuming this indicates the reference file is otherwise working
properly for the other 6000+ files.
Ran the 3rd button again:
Sitemonitor ran on December 19, 2010, 9:22 am
Total mismatches found were 18
Total files being monitored is 6762
Email sent to shop owner.
Checked the first flagged file:
Difference found: New-> includes/phpids/lib/IDS/tmp/CSS/4.1.1 Original-> 801ad73acbcf9d3127e1d01768d26453
Navigated to the file (includes/phpids/lib/IDS/tmp/CSS/4.1.1)
Name of file:
4.1.1,801ad73acbcf9d3127e1d01768d26453,1.ser
Is that comma between 4.1.1 and 8 causing this file to be listed?
If so, what is the remedy?
Thanks for your invaluable input,
jk
-
Hi Jack,
v2.7
Hope all is excellent with you.
When using the 3rd Update button
(Manually Execute Sitemonitor)
getting numerous (36) messages like: (all in the phpids folder, btw)
permissions Mismatch on includes/phpids/lib/IDS/tmp/URI/4.1.1 Currently set to "0" was set to "327"
permissions Mismatch on includes/phpids/lib/IDS/vendors/htmlpurifier/HTMLPurifier/DefinitionCache/Serializer/CSS/4.1.0 Currently set to "0" was set to "22628"
not sure how to decipher Currently set to "0" was set to "327" (or the variations)
since I deleted the contents of the reference file and created a new one with the top button prior to clicking the 3rd button
so what is being compared
1. What is causing it to be set to 0?
2. Should it be reset to the original value?
3. Is this a sign of some skullduggery?
Thanks for helping me better understand,
jk
-
No .. I would expect something like ..
Perhaps your server doesn't allow rules in .htaccess.
Hi Robert. Thanks for your reply.
After googling and trying different modifications,
what did elicit a 403 response was commenting out
# php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl|ini)$">
deny from all
</Files>
Also contacted the hosting help desk who replied:
Thank you for contacting our Support Team.
Please delete the following code from the .htaccess file:
php_flag engine off
After that save the file and the issue should be resolved.
-------- end -------------
1. What functionality is sacrificed when php_flag engine off is not executed?
2. If php_flag engine had been set to off, does it need to later be set to on?
Thanks for all your invaluable input.
jk
-
Hi Robert,
RE: KISS_FileSafe_version_1.0_r12 7564
I added the .htaccess file to cache directory as recommended
then browsed to it and received this:
500 - Internal Server Error
This is a temporary server error.
Please try to reload the webpage later.
If you are the webmaster of this site please log in to Cpanel and check the Error Logs. You will find the exact reason for this error there.
Common reasons for this error are:
* Incorrect file/directory permissions: Above 755. In order files to be processed by the webserver, their permissions have to be equal or below 755. You can update file permissions with a FTP client or through cPanel's File Manager.
* Incorrect Apache directives inside .htaccess file. Make sure you have not specified unsupported directives inside the local .htaccess file. Such include PHP settings and Apache module settings.
------------ end -----------------
Is this the correct behavior for the .htaccess code:
php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl|ini)$">
deny from all
</Files>
You really make installation a breeze by the way,
Thanks for your support,
jk
-
Make sure you have gone through each of the steps mentioned under "Step-B: Admin" of our Read_Me File. You might have missed something.
Make sure your 'banned_ip' db table has the fields 'reason' and 'ip_status'. You need to verify and update the table or remove that table and do the re-installation.
Hi,
Thanks for your rapid response.
Have rechecked Step B. All is in accordance with instructions.
Make sure your 'banned_ip' db table has the fields 'reason' and 'ip_status'.
Affirmative
and is being written to with your original code,
as well as, my slightly altered version.
I then put your original banned_ip.php back in admin
Tried to insert new IP
Result: (same as before)
Notice: Undefined variable: ipInfo in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153
Notice: Trying to get property of non-object in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153
IP Address Date & Time Reason
555.555.555.555 2010-12-16 07:15:36 testing insert
Next tried to Update IP
Result: same as before - white page (not finishing the page refresh)
Notice: Undefined variable: ip_status in public_html/RENAMED ADMIN FOLDER/banned_ip.php on line 51
Warning: Cannot modify header information - headers already sent by (output started at public_html/RENAMED ADMIN FOLDER/banned_ip.php:51) in public_html/RENAMED ADMIN FOLDER/includes/functions/general.php on line 265
I had to hit browser Back arrow to get back to admin page (banned_ip.php?ipID=12&action=edit)
Result: update was saved but generated error caused the above Notice & Warning on white page
IP Address Date & Time Reason
555.555.555.555 2010-12-16 07:15:36 testing update
Conclusion:
With
error_reporting(E_ALL);
ini_set('display_errors', '1');
Insert and Edit/Update DO WORK (save info) but
cause Error Notices:
Undefined variable: ipInfo ($ipInfo->reason) [for Insert]
Undefined variable: ip_status [for Update]
Please forgive me for being so obtuse, but
Are you saying when PHPIDS_for_osCommerce_1_6 is correctly installed/configured:
a. These error/notices should not be invoked
With
error_reporting(E_ALL);
ini_set('display_errors', '1');
b. It's ok to ignore Error/Notice because the data is being saved,
turn off error reporting, ini_set('display_errors', '0')
c. These variables are supposed to be initialized,
my copy of banned_ip.php (original download of PHPIDS_for_osCommerce_1_6) may be defective
d. None of the above
Thank you for helping me understand,
jk
-
Hi Celextel,
During testing, had 2 "situations"
1. Trying to Insert a new IP (in admin/PHPIDS) and getting this:
Notice: Undefined variable: ipInfo in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153
Notice: Trying to get property of non-object in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153
The code referenced was:
$contents[] = array('text' => '<br />' . TABLE_HEADING_REASON . '<br />' . tep_draw_textarea_field('reason', 'soft', '40', '6', $ipInfo->reason));
CHANGED TO: (replaced $ipInfo->reason with ''
because there IS no reason yet - it's a new insert)
$contents[] = array('text' => '<br />' . TABLE_HEADING_REASON . '<br />' . tep_draw_textarea_field('reason', 'soft', '40', '6', ''));
Result: No more error/Notice for Insert new IP
2. Trying to Edit/Update existing IP (in admin/PHPIDS) and getting this:
Notice: Undefined variable: ip_status in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 53
The code referenced was:
if (tep_not_null($ip_status)) {
CHANGED: commented out
/* if (tep_not_null($ip_status)) {
tep_db_query("update " . TABLE_BANNED_IP . " set ip_status = '0' where id = '" . (int)$_GET['ipID'] . "'");
}
*/
Reasoning for commenting out:
The IP status can be toggled (not really part of the Update process in the right side box)
Result: No more error/Notice for Update IP
Having learned the hard way not to ASSume
Is there a reason for NOT changing the code that I'm unaware of?
jk
-
-
At least I got the Author right!
Thanks for pointing me in the right direction.
jk
-
Hi FWR,
Hope all is excellent with you.
This contribution is world class,
appreciate your generosity in sharing it.
I believe someone else was having a problem
with the @ sign being removed from the email address
(in my case it happens when unsubscribing to newletters)
Tried using the upper right search (@ sign missing from email)
but was unsuccessful
Can you recommend a method to search through this thread
to find this particular topic?
Thanks for your support,
jk
-
Hi again,
RE: Grant write access [chmod 777] to the "tmp" folder [phpids/lib/IDS/tmp] and also to phpids_log.txt log file which is inside the "tmp" folder.
My hosting has the "tmp" folder set to 755 and the phpids_log.txt log file set to 644.
It seems to be working fine with these settings. (writes to log file)
1. Should they be changed to 777?
Also regarding exclusions:
REQUEST.__utmz, COOKIE.__utmz
2. What are these for?
Thanks,
jk
-
Found the problem
It was the nut behind the wheel!
Thanks for your patience and support, Celextel
jk
jQuery Banner Rotator
in General Add-Ons Support
Posted
well, it was lookin good til i tried internet explorer
now get this: object doesn't support this property or method prototype.js
the code executes, however,
when the banner changes, the page height expands downward (doubles)
basically "dribbles" whatever is underneath (the rest of the page)
i reckon by putting it in the header,
it isn't getting some code that appears maybe in index.php?
any insight?
jk