| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
 Posted:
Thu Nov 18, 2004 4:08 pm |
|
Due to conflicts with standard code in nuke releases, we highly recommend that you do the following if you haven't already. NukeSentinel protects without this code.
In mainfile.php, if you have this code, you should either comment it out or delete it.Code://Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER["QUERY_STRING"]), $matches)) {
die();
}
$queryString = strtolower($_SERVER['QUERY_STRING']);
if (stripos_clone($queryString,'%20union%20') OR stripos_clone($queryString,'/*') OR stripos_clone($queryString,'*/union/*') OR stripos_clone($queryString,'c2nyaxb0')) {
header("Location: index.php");
die();
}
|
And again, in admin.php do the same. Please note that where you see the ///////////////, that indicates a REQUIRED line of code. That is where you may have this line: require_once("mainfile.php"); That line must remain.Code:// Uncomment the following block of code after editing the next line to match your site domain
$domainname = "www.yourdomainname.com";
if ($_SERVER['SERVER_NAME'] != $domainname ) {
echo "Access denied";
die();
}
//////////////////////////////////////////////////
$checkurl = $_SERVER['REQUEST_URI'];
if((stripos_clone($_SERVER["QUERY_STRING"],'AddAuthor')) || (stripos_clone($_SERVER["QUERY_STRING"],'VXBkYXRlQXV0aG9y')) || (stripos_clone($_SERVER["QUERY_STRING"],'QWRkQXV0aG9y')) || (stripos_clone($_SERVER["QUERY_STRING"],'UpdateAuthor')) || (preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {
die("Illegal Operation");
}
|
|
| |
|
|
|
blith
Client
Joined: Jul 18, 2003
Posts: 977
|
| Posted:
Fri Nov 19, 2004 8:05 am |
|
Okay to be sure... in admin.php. We are to leave Code:
$checkurl = $_SERVER['REQUEST_URI'];
if((stripos_clone($_SERVER["QUERY_STRING"],'AddAuthor')) || (stripos_clone($_SERVER["QUERY_STRING"],'VXBkYXRlQXV0aG9y')) || (stripos_clone($_SERVER["QUERY_STRING"],'QWRkQXV0aG9y')) || (stripos_clone($_SERVER["QUERY_STRING"],'UpdateAuthor')) || (preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {
die("Illegal Operation");
}
|
Or just leave the Code:require_once("mainfile.php");
|
|
| |
|
|
|
Raven
|
| Posted:
Fri Nov 19, 2004 10:08 am |
|
|
|
|
|
blith
|
| Posted:
Thu Mar 10, 2005 9:28 am |
|
In my code the Code:require_once("mainfile.php");
|
had a @ in front of it like this Code:@require_once("mainfile.php");
|
should it stay? |
| |
|
|
|
|
Mesum
Useless
Joined: Aug 23, 2002
Posts: 213
Location: Chicago
|
| Posted:
Thu Mar 10, 2005 9:58 am |
|
|
|
|
|
Raven
|
| Posted:
Thu Mar 10, 2005 10:08 am |
|
Let me add that the @ suppresses any error messages and you will probably receive a blank screen if an error occurs. While it can mask some incidental error messages, it can make debugging more difficult. That's not a reason to remove it, but just an awareness. |
| |
|
|
|
|
blith
|
| Posted:
Thu Mar 10, 2005 10:56 am |
|
ahh interesting. Thank you. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
