so then what do you have. Ever since January 2009 that you started <?php echo "hello world!; ?> what can you show for it. I am keen to see why you have been on the front-line on people! Why should I recommend you as a developer

- nitation

@ Segs

I don't expect you to start with me. I have been watching you closing for the past few weeks and your posts' have been so tempting! Also, why would I beg moderators to remove you? for what? you have your opinion, but you really need to be considerate man! Rome wasn't built in a day

Anyway, upload your website, make we comment!

- nitation

You can say that again! Tracking http://localhost:8080 wasn't that hard

- nitation

@ Segs

Don't forget that few months ago you were like this dude, begging everyone on NL webmaster room to help you review your "segsalerty.com" We all responded without chasing you away! Dude I am seeing your posts as spam. I think it is high time the moderators find a solution. You act as if you were not once a learner, even though you have 13 years experience in just 6 months.

KPSHEEEEW

- nitation

I don't think am buying his point. In as much as I respect his opinion, I still believe it's wrong! Where are the rich people coming from with simple websites? Flashing back to my wealthy clients', they always request for the best & those who don't know about the best, it's my duty to explain the disadvantages of the "bad".

My own view -> Oya more points!

- nitation

Oya let's go

- nitation

For sure! My advice for you is to act dumb and let the "best" declare. Thank you for the summary!

- nitation

@mavtrevor

I am watching, I think we are both on d same track

- nitation

@ Segs

What can I say?? Everyone na programmer now oo!

- nitation

@ Poster

mysql_real_escape_string should solve the problem. Check out this link : http://php.net/mysql_real_escape_string

I believe it should help

I have an example of how to apply it

$username = mysql_real_escape_string($_POST['username']);
$password  = mysql_real_escape_string($_POST['password']);
$sql = "SELECT * FROM table_name WHERE user='$username' AND pass='$password'";

P.s  I do not advice storing passwords in plain text, what I wrote is just an example of how it should be applied. Do not SAVE passwords in plain text  during production.

- nitation

- nitation*

On the contrary kolitos007 the user didn't specify what file extension must be accepted according to his code. One of the problems is that he should change the permission for his directory uploads to 0777 and lets see what happens.

- nitation

GOD is good! by the way, am an atheist!!! My definition of GOD differs hahahaha

lol thats funny. At first when I saw that, I couldnt stop laughing at how these scams are going overboard.

- nitation

This should work

http://www.google.com/search?hl=en&q=online+newspapers+in+nigeria&aq=f&oq=&aqi=

I noticed the same thing, for a reason or so I find myself still visiting the website. I think my problem is addiction as I don't dig sunnewsonline for their delay in update.

More so, I think it is taking business and traffic down the drain by adopting such method. They better consult Alexandra forbes for proper risk management, because this one na big risk oo!!!

- nitation

Segsalerty lead your crew and remember not to lead them into temptation and deliver them from all evil

- nitation

No sweat! Counting down to the release of the framework. Put all effort and shock us all!

- nitation

Thats weird! It shows it wasn't that important to you. Why didn't you PM on NL then?

Dual core -> I AM LOST OJARE

- nitation

I Never die now. After all you never bothered to know what's happening to your boy

- nitation

hmmm


- nitation

@ Aeso

I can see you have bag in all the certificates. In this field,experience is what counts! I do not know how long you have been doing your thing, but one thing that is certain is, you have limited your ability to what you have encountered only.

More so, I was giving a general understanding of what the SSL does and not in the MITM situation. This is also gonna be my last argument on this topic as it's taking us no where. I am willing to contribute more on educative topics.

Take a look at this scenario:

Bank X introduced the One-Time-Pin security feature for it customers whereby before any transaction can be carried out , an eight-randomly generated pin would be sent to the customer's cellphone. Let us continue

1) An attacker tricks a user to click on a link;
2) The user entered his/her details on the attackers crafted page,
3) Suddenly, a one time pin was sent to the user's cell phone. The user not knowing, entered the OTP on the attackers page.
4) The attacker has 30 minutes to perform whatever transaction as the one-time-pin will expire.

The question here is , why did the bank send the valid one-time pin to the user's cellphone even though he/she is not accessing the original website.

-nitation

@ Aeso

To put an end to our endless argument. This is what is certain:

SSL guarantee confidentiality and authentication only. There are many threats that attack web applications, including SQL Injection, XSS, CSRF, Denial of Service, Brute-Force-Attack, MITM, etc.

The technicality of the situation may not be understood by an average user in MITM case.

- nitation

@ Aeso

On contrary, If a website use only one-way SSL security (only the website has an SSL certificate) instead of two-way, which was the intention of SSL in the first place, then MITM can take place.

In real terms, this is regarded as phishing 2.0 more sophisticated to the traditional method of phishing. Citibank fell victim in 2006 or so.

- nitation

@ Aeso

In Jupiter where I reside, one of the leading banks' lost over $200million in 6 months on internet banking phishing scam. What the bank did was to implement the One-Time Pin technology (for those who care to know - this is an algorithm calculation that generate numbers/codes for a user who is accessing the internet banking at a particular time through SMS preferably or email and it expires within a time-frame).

What happens next was, it became very difficult for phishers to trick people into providing their internet banking details. Even if they do, they(the phishers) do not have access to the user's cellphone. Now a MITM attack surfaced. Hackers develop an application that exploits communication between the user and the server residing on a secured location - am referring to SSL. Like my first post - Phishing has gone beyond how it seem

Open for arguement ->

- nitation

aeso:


Have you heard of famous websites that have been hacked in the past? CNN, White House by Chinese hackers? Do a google search to find out. I don't dispute your view of a possible collusion with an ETB officer in this, but as a forensic or "forency" expert you claim to be, you should bear a more flexible approach in your investigations.
Believe me it is quite easy, although may require some patience. Here's one avenue:

1. Run an nslookup to get web server's IP address.
2. Scan and  probe server for services running, do OS fingerprinting to discover what OS is running. Possibly detect which web server is in use as well.
3. Scan to see if there are vulnerabilities on the server that have [b]not [/b]been patched. If none found, subscribe to mailing lists for zero-day attacks and wait till patiently new vulnerability is reported. Quickly run an exploit before web/server admins have time to patch systems.
4. Run an exploit to hijack web server. Elevate your privileges/permissions and plant a backdoor for future privileged access. Design your [fake] interswitch web page and upload on server using ssh. Design exactly like real interswitch, or just download copy of the real site if you don't have the time.
5. Create new database on existing database server. Link [fake] interswitch web page form to database to "harvest" proceeds of phish.
6. Send bogus email to several thousands of users.
7. Run operation for a few hours only to escape detection. Clear funds in "mugu" accounts.
8. Cover your tracks by clearing the system logs of all traces of activity.

So it's as [easy] as that. The problem I see is that most webmasters are ignorant of security issues.
Ask yourself who gets the best jobs? It has never been, and never will be, the most suited/skilled. It's always the individual who blows his trumpet the most with a 10-page CV or who gets there on merit.

The lesson here is that web servers must always be patched regularly. Users must also look for a padlock/key sign on their browser when posting confidential info. If you don't see a padlock, close the page immediately. If you do see a padlock, click on it to check the site's certificate to ensure it the real Interswitch, as anyone can easily setup a secure server.

I am open to more argv on this,

You have said it all. I have a but though. I encountered a scenario with one of my client's when they had Phishing problem. A scammer actually placed a padlock image as a FAVICON. When the innocent customer received the phishing email, the first thing he checked was d padlock, which was trickily placed on the FAVICON IMAGE , what do you say to that

For those lamenting on the web administrator!

You should ask yourself if the bank took the proper procedure in employing the better guys to maintain their online server.

2) How much was "positively" invested in the so-called ETB online website.

3) What checks and balances was put to place on those maintaining the website and how do they respond to problems when encountered; DO this people (ETB) even consider their customer's protection/safety.

Lastly, the web admin doesn't have to give access before a less secured site can be compromised. I give kudos to aeso for sharing his thoughts here, but believe me phishing has gone way beyond how it seem.

My contribution

- nitation

why not upload to a directory and store the image file name to the DB. What about that??

Hi,

@ Yawa - I can see the ever emphasized point on this forum is coming around again. You know how you dealt with it in the past, apply the same method.

- nitation

From Sam Milla -> all involved

Why have we suddenly decided to move from the topic to "NITATION'S writing his username on every post". I thought DHTML was supposed to correct every off-pointers?? Wetin come happen!

- nitation

Remember not to leave any white spaces before session_start();

<?php session_start();

// whatever code

?>

@conn-kg

To clarify stuff to our beloved readers, i strongly believe the poster is commenting from an end-user's point of view. If you are a developer or a security concerned fellow, believe me, you would uninstall IE or permanently disable it from your system.

IE SuCks ~

- nitation