Member Avatar for polarpandabear

Hello Everyone! I'm a return user to this community. I just want to ask some help regarding of my problem in my site. the problem is that some of my php files can't display some of my content in our website. I'm a main programmer in our team and in the last months, our site run perfectly but it does not have strong security measures (but it does not matter here).

The site should have this in index.php

4a59e08014878b7c6d5938e5ae233b8e

but it only does load it's half on our site

c4863589389ec370d8dbcd06fb24ba22

our site is shinji3dmovie.com

Things that I already done:
* transfer to another hosting site. (free hosting site in particular) http://shinji3dmovie.byethost10.com/
* change "<?php and ?> tags to <script language="php"> and </script> tags
* rewrite my code
* change my <!doctype> to various settings.

Another wierd thing here is. the site show properrly on localhost but when being uploaded. the problem persists.

I can't debug anymore the problem but I use the same code before and it work on those days. thank you for your response. here is my code for index.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Shinji: Full 3D Animated Film</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="http://fonts.googleapis.com/css?family=Source+Sans+Pro:200,300,400,600,700,900" rel="stylesheet" />
<link href="default.css" rel="stylesheet" type="text/css" media="all" />
<link href="fonts.css" rel="stylesheet" type="text/css" media="all" />

<style type="text/css">
        p.error, p.success {
            font-weight: bold;
            padding: 10px;
            border: 1px solid;
        }
        p.error {
            background: #ffc0c0;
            color: #900;
        }
        p.success {
            background: #b3ff69;
            color: #4fa000;
        }
        p.normal {
            background: cdcdcd;
            color: 212121;
            }
        h3 {
            font-size: 1em;
            color: #6a363a;
            }
    </style>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<!--//////////////////////////////////////////
////////////////////HEADER////////////////////
//////////////////////////////////////////////-->
<div id="header">
    <div id="menu" class="menucontainer">
        <ul>
            <li><a href="news.php" accesskey="1" title="">NEWS</a></li>
            <li><a class="current_page_item" href="index.php" accesskey="2" title="">FILMS</a></li>
            <li><a href="gallery.php" accesskey="3" title="">GALLERY</a></li>
            <li><a href="about.php" accesskey="4" title="">ABOUT</a></li>
            <li><a href="contact.php" accesskey="5" title="">CONTACT</a></li>
        </ul>
    </div>
</div>

<!--//////////////////////////////////////////
//////////////////LOGO////////////////////////
//////////////////////////////////////////////-->
<div class="logocontainer">
<img src="images/logooo.png" id="center" />
</div>

<!--//////////////////////////////////////////
//////////////////VIDEO///////////////////////
//////////////////////////////////////////////-->
<div class="videocontainer">
<iframe id="center" width="852" height="480" src="http://www.youtube.com/embed/mA1of1OmnyI" frameborder="0" allowfullscreen="allowfullscreen"></iframe>
</div>

<!--//////////////////////////////////////////
/////////////////CONTENT//////////////////////
//////////////////////////////////////////////-->

<div class="bodycontainer" id="content">

<?php
function curPageName()
{
    return substr($_SERVER["SCRIPT_NAME"],strrpos($_SERVER["SCRIPT_NAME"],"/")+1);
}
$GLOBALS['hostname'] = 'localhost';
$GLOBALS['username'] = 'test';
$GLOBALS['password'] = 'admin';
$GLOBALS['database'] = 'test';
//connect to database
$con=mysqli_connect($GLOBALS['hostname'],$GLOBALS['username'],$GLOBALS['password'],$GLOBALS['database'])or trigger_error("SQL:", E_USER_ERROR);
//query to count all numbers in database
$q="select count(*) \"total\"  from rate";
//do the query
$ros=mysqli_query($con,$q) or die(mysqli_error());
//fetch returned data to a variable
$row=mysqli_fetch_array($ros);
//get the total
$total=$row['total'];
$rating = 0;


//echo "The current page name is ".curPageName();
if ($total == 0) 
{
    //echo '<p class="error">ERROR: Rating can\'t be computed. No one rated yet. </p>';
}
else 
{   
    //get total rating
    $q="select * from rate";
    $ros=mysqli_query($con,$q);
    while($row=mysqli_fetch_array($ros))
    {
        $newrate = $row["rating"];
        $rating = $rating + $newrate;
    }
    $average = $rating/$total;
    $average = round($average, 1);
    echo '<p class="stats">Video Rating: $average<br />This video has been rated $total times.<br /></p>';
}
//PROCESS RATE
if (isset($_POST['processrate'])) 
{
    $con = mysqli_connect($GLOBALS['hostname'],$GLOBALS['username'],$GLOBALS['password'],$GLOBALS['database'])or trigger_error("SQL:", E_USER_ERROR);
    $rating = $_POST['rate'];
    $q = "INSERT INTO rate (rating) VALUES ('$rating')";
    if (!mysqli_query($con,$q)) 
    {
        die('Error: ' . mysqli_error($con));
    }
    else
    {
        echo '<p class="success">Thank you for rating our film.</p>';
    }
}
else
{
?>
    <form method="post">
    <h3>Rate video</h3>
    <select name="rate">
        <option value="1">1</option>
        <option value="2">2</option>
        <option value="3">3</option>
        <option value="4">4</option>
        <option value="5">5</option>
    </select>
    <input type="submit" value="Rate" name="processrate" />
    <hr />
</form>
<?php
}

if (isset($_POST['gocomment'])) 
{
    //connect to database
    $con=mysqli_connect($GLOBALS['hostname'],$GLOBALS['username'],$GLOBALS['password'],$GLOBALS['database'])or trigger_error("SQL:", E_USER_ERROR);
    $comment = $_POST['comment'];
    //set timezone
    date_default_timezone_set('Asia/Hong_Kong');
    //get date
    $date = date("Y-m-d");
    //get time
    $time = date("h:i:s");
    //insert to database
    $email = $_POST['email'];
    //INSERT ADDITIONAL VALIDATIONS HERE
    $q = "INSERT INTO comments (email,comment,date1,time) VALUES ('$email','$comment','$date','$time')";
    if (!mysqli_query($con,$q)) 
    {
        die('Error: ' . mysqli_error($con));
    }
    else
    {
        echo '<p class="success">Comment Posted.</p>';
    }
}
?>
<form method="post">
    <h3>Comment (Max 250 Chars)</h3>
    <b>E-mail:</b><br /><input type="email" name="email" required="required" /><br />
    <b>Comment:</b><br /><textarea cols="100" maxlength="250" required="required" name="comment"></textarea><br />
    <input type="submit" value="Post Comment" name="gocomment" />
    <hr />
</form>

<table height="200px" style="border:3px black solid;5px; background-color:#f5f5f5" width="100%">

<tr>
    <th colspan="2" height="40px" style="border-bottom:3px black solid">Comments</th>
</tr>
<?php
    $con=mysqli_connect($GLOBALS['hostname'],$GLOBALS['username'],$GLOBALS['password'],$GLOBALS['database'])or trigger_error("SQL:", E_USER_ERROR);
    $q="select count(*) \"total\"  from comments";
    $ros=mysqli_query($con,$q) or die(mysqli_error());
    $row=mysqli_fetch_array($ros);
    $total=$row['total'];
    if($total==0){
        echo '<tr>';
        echo '<td style="text-align:right;" width="20%" style="border-bottom:1px #a1a1a1 solid"><b><font color=blue>Admin :</font>';
        echo '<td> No comments yet.';
        echo '</tr>';
    }
    else{
        $page = curPageName();
        $dis=5;
        $total_page=ceil($total/$dis);
        $page_cur=(isset($_GET['page']))?$_GET['page']:1;
        $k=($page_cur-1)*$dis;

        $q="select * from comments ORDER BY comment_id DESC limit $k,$dis";
        $ros=mysqli_query($con,$q);
        while($row=mysqli_fetch_array($ros))
        {
            echo '<tr>';
            echo '<td rowspan=2 style="text-align:right;" width="20%" style="border-bottom:1px #a1a1a1 solid "><b><font color=blue>'.$row['email'].' :</font>';
            echo '<td>'.$row['comment'];
            echo '<tr><td style="border-bottom:1px #a1a1a1 solid">'.'<font size=1>'.$row['date1'].','.$row['time'].'</font></tr>';
            echo '</tr>';
        }
        echo '</table>';
        echo '<br/>';
        if($page_cur>1)
        {
            echo '<a href="'.$page.'?page='.($page_cur-1).'" style="cursor:pointer;color:green;" ><input style="cursor:pointer;background-color:#aaaaaa;border:1px black solid;width:120px;height:30px;color:black;font-size:15px;font-weight:bold;" type="button" value=" Previous "></a>';
        }
        else
        {
          echo '<input style="background-color:#aaaaaa;border:1px black solid;width:120px;height:30px;color:black;font-size:15px;font-weight:bold;" type="button" value=" Start ">';
        }
        for($i=1;$i<$total_page;$i++)
        {
            if($page_cur==$i)
            {
                echo ' <input style="background-color:#aaaaaa;border:2px black solid;width:30px;height:30px;color:black;font-size:15px;font-weight:bold;" type="button" value="'.$i.'"> ';
            }
            else
            {
            echo '<a href="'.$page.'?page='.$i.'"> <input style="cursor:pointer;background-color:#aaaaaa;border:1px black solid;width:30px;height:30px;color:white;font-size:15px;font-weight:bold;" type="button" value="'.$i.'"> </a>';
            }
        }
        if($page_cur<$total_page)
        {
            echo '<a href="'.$page.'?page='.($page_cur+1).'"><input style="cursor:pointer;background-color:#aaaaaa;border:1px black solid;width:90px;height:30px;color:black;font-size:15px;font-weight:bold;" type="button" value=" Next "></a>';
        }
        else
        {
         echo '<input style="background-color:#aaaaaa;border:1px black solid;width:90px;height:30px;color:black;font-size:15px;font-weight:bold;" type="button" value="   End ">';
        }
    }
mysqli_close($con);
?>
</table>

<h2>FILM</h2>
    <p>“Shinji: Warrior Within” is an animated short film directed and created by Skylight Productions. This short film was established thru a collaboration with Funguy Studios, Makati City, Philippines.</p>
    <br />
    <hr />
    <br />
    <h3>Teaser Trailer</h3>
    <iframe id="center" width="852" height="480" src="http://www.youtube.com/embed/mQSSZZW9H6U" frameborder="0" allowfullscreen="allowfullscreen"></iframe>

</div>

<!--//////////////////////////////////////////
/////////////////FOOTER///////////////////////
//////////////////////////////////////////////-->

<div id="copyright" class="footercontainer">
<table align="center">
    <tr>
        <td><img src="Funguy.png" /></td>
        <td><img src="Skylight.png" /></td>
    </tr>
</table>

    <p>Copyright (c) 2013 shinji3dmovie.com All rights reserved. | Design by <a href="http://www.freecsstemplates.org/" rel="nofollow">Lee Nocon</a>.</p>
</div>
</body>
</html>
Edited by polarpandabear
  • 3 Contributors
  • 6 Replies
  • 476 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for cereal

Did you solved the problem? Looking at the linked page, it seems all fine now. An evident error, in the above code is this:

$q="select count(*) \"total\"  from comments";

Because with the aliases and the column names you have to use the backticks not the quotes. So:

$q = "select count(*) as `total` from comments";

Documentation: http://dev.mysql.com/doc/refman/5.6/en/identifiers.html

Member Avatar for polarpandabear

nope. It didn't solve the problem.
I have something in mind...
If my code works perfectly before. then is the problem is the php compiler on my webhosting sites? or any chenges from the new PHP version? what do you think. this code also run perfectly on my localhost.

Thank you :D

Member Avatar for orochiwolf

It seem like your php code isn't interpreted at all. the html code is stoped before your first <?php. And nothing after this is displayed. So, two thing the first one is: are you sure that you are uploding the right index.php with php as extension.
And secondary your hosting don't inerpret php at all.

Member Avatar for cereal

Ok, now I see: the page is not complete. If you check the headers you will see that the server returns status code 500:

HTTP/1.1 500 Internal Server Error
Connection: close
Content-Type: text/html
Date: Tue, 11 Mar 2014 17:16:39 GMT
Server: Apache
Transfer-Encoding: chunked
X-Powered-By: PleskLin

You should check the Apache error log, and also the PHP error log. You could also enable the error reporting by adding:

error_reporting(E_ALL);

to the top of page, by reloading the page you should see eventual errors in the script.

If my code works perfectly before. then is the problem is the php compiler on my webhosting sites? or any chenges from the new PHP version? what do you think. this code also run perfectly on my localhost.

Yes, it could be a problem with the hosting configuration if, for example, your version of PHP loads a module that is missing in the hosting version.

Member Avatar for polarpandabear

I finally resolve the problem. the problem is that there was a hacker who use SQL injection to exploit our site. that's why it can't compilee the hlaf part of our page
I have some weaknesses when it comes to security.
I solve it by displaying the error messages as suggested by cereal.
maybe I have to study more on regular_expressions to counter this attack. am I right? any tips? thank cereal :D

Edited by polarpandabear
Member Avatar for cereal

Regarding the queries use prepared statements, so consider to switch from the MySQL API to PDO or MySQLi:

About the APIs:

Then change username and password of your database, since these were hardcoded in the source, the attacker probably tried to read them. Change them because from a MySQL shell it is possible to write or read files in the remote server and this means access without limits to the server. And if he can connect to the database from remote, then he can alter the contents whenever he wants.

A part that, filter and sanitize everything you receive from the client, never trust POST, GET, COOKIEs, and headers. For example, if from $_GET['page'] you expect an integer, then be sure you get that type of data, use at least intval, so instead of:

$page_cur = (isset($_GET['page'])) ? $_GET['page'] : 1;

Use:

if(isset($_GET['page']))
{
    $page_cur = intval($_GET['page']);
    if($page_cur == 0) $page_cur = 1;
}

More about security:

Bye! :)

Edited by cereal
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.