requinix

IIRC the auto-incremented IDs for multiple INSERTs are guaranteed to be sequential - so long as you don't muck about with the table's current AUTO_INCREMENT value. So $insert_id and $insert_id+1.

So your question is not about preventing people from typing, nor about how to prevent people from typing certain characters, but about how to add a couple more to the set of allowed characters? Hyphen has a special meaning in character sets that goes away when you put it at the beginning or end (or a third way). The other three don't. var regex = new RegExp("^[a-zA-Z0-9_.@-]+$");

You can still use WinHttpRequest to upload a file, but you do it not as a "regular" file upload but by sending the data right in the request body. Which is what you're doing right now, in fact. 1. Use the PUT method instead of POST to be consistent with how the various HTTP request methods are supposed to be used. 2. Your PHP code needs the filename so you'll have to send that in the request. Easiest way would be to put that in the query string like http.Open "PUT", URL & "?filename=" & URL_encoded_filename_goes_here, False(if the URL already has a query string then you'd use "&" instead of "?", of course) Or, if possible, you can modify your code so that it doesn't need the filename 3. Your PHP code can't use $_FILES but it can get the file data with file_get_contents("php://input")The filename comes from $_GET like normal.

$_FILES only works for a specifically-formatted request. What is the uploading code? Even if it isn't PHP. And just in case, are you able to change it?

This is actually a PHP problem: you didn't put quotes around your query. Did you not notice that or were you not aware you have to use quotes in PHP?

$run_cats = mysqli_query($con, $get_cats); while ($row_cats = mysql_fetch_array($run)) {You call it "run_cats" on the first line but "run" on the second.

You're mixing mysql and mysqli commands in there and passing the wrong variable (to the wrong function).

Short answer is yes. Longer answer is yes if you don't know what the value is and/or the value could contain arbitrary data. Something you've guaranteed to be a number (and I mean you've used code to ensure it is) doesn't need to be escaped because you know it's a number. Or maybe you ran a regex against a string to check that it only has letters and numbers - that's fine too. Point is that in both cases you know exactly what kind of value you have and thus you already know it's safe.

I'm going to assume each set of lines is to be taken in its own right, though the code suggests it's actually chaining all of these together (which is very, very bad). $username = $_POST['username']; $password = trim($_POST['password']); Keeps the values as they were entered until, presumably, they are escaped at the last second. Which is how it should be. $username = htmlspecialchars($_POST['username']); $password = htmlspecialchars($_POST['password']); Escapes the username and password immediately. These must not be used with anything except for HTML/XML output. Have to use $_POST to get the original values. $username = mysqli_real_escape_string($con, $username); $password = mysqli_real_escape_string($con, $password); Escapes the values for use directly in a mysqli query. Don't use the values for anything else (including use in a mysql or PDO query, or a prepared statement). $username = stripslashes($_POST['username']); $password = stripslashes($_POST['password']); Removes quotes that were added because of magic_quotes. If you don't have magic_quotes enabled then don't do this. $password = hash('ripemd128', $password); Hash. Esoteric algorithm. $username = strip_tags($username); $password = strip_tags($password); Because you decided to alter the input such that anything that resembles like an HTML tag gets removed. Limits what I can enter for a password, may be reasonable for a username though. $username = filter_var($username, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $password = filter_var($password, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); Some arbitrary sanitization. Have to consult to manual to find out exactly what it does. $username = htmlentities($username, ENT_QUOTES); $password = htmlentities($password, ENT_QUOTES); Convert anything not in the default character encoding (which is...?) into an HTML entity, as well as the regular HTML-unsafe characters and both types of quotes. Screws up unusual usernames, might not have any discernible effect on the password.

No. I might enter '">'and that would break out of your . No, it has nothing to do with XSS. What prepared statements do help with is SQL injection. htmlspecialchars() is "better" than htmlentities(). There's also urlencode(), rawurlencode(), and http_build_query() for dealing with URLs.

So besides answers to my previous questions, What if you switch browsers? User 1 on Chrome and User 2 on Firefox?

// assume the content in the body below is trade.php <body> <?php //query here if(count($result) > 0) { foreach($result as $row) { $user_id = intval($row['user_id']); } $_SESSION['requestById'] = $myUserid; $_SESSION['requestToId'] = $user_id; } ?> </body>Have you confirmed that this code is (1) executing and (2) setting the requestById and requestToId values? Are you doing any redirects after this executes (eg, to move them to the confirmation page)? And side note: should you be verifying that new requests are made "by" the current user? That is, $session_requestById == $mainUserid. If so, do you even need to bother with a "by" value at all?

Where are those two variables set? When did you do that in request.php? Does trade.php have it too?

The code seems right, though the openssl_get_publickey($publicKey);isn't doing anything so you should remove it. Have you checked the return value manually? Does it look like random alphanumeric characters? General advice applies too: make sure you have your environment set up for development by using error_reporting = -1 display_errors = onin your php.ini (restart the web server if not) and check for error messages.

Two ways. First is array_multisort but it requires a separate array of use the usernames. You pass that array and the original $usersdata and it sorts both at once, in order (so it sorts by username first and by $usersdata second). I don't like array_multisort(). Second is usort. I like usort(). usort($usersdata, function($a, $b) { return strcmp($a["username"], $b["username"]); });The function gets two entries from the array and return 0 for $a after $b, and 0 if they're the same. This happens to match up exactly with how strcmp() works.

UTF-8 encoding in the last step doesn't make sense. I think they mean: 1. Make sure password is in UTF-8 encoding 2. base64_encode() it 3. Encrypt 4. base64_encode() that too So try without the utf8_encode().

By deciding what you consider to be "malicious code" and then looking for it. If you think the presence of a "<?php" means it is malicious then that's what you look for.

You're saying that after only two years of work you have created something like Facebook? With all of Facebook's features? And it's more secure?

Some advice: don't try to detect bad input. You will not be able to protect yourself from everything that way. Instead just deal with it safely. Output into HTML should use functions like htmlspecialchars and occasionally (raw)urlencode. People entering PHP code should be perfectly fine because you should never, ever be attempting to execute it. If they want to provide a bad URL like that then it's okay because all you're going to do is output it or maybe redirect people to it, and both of those cases are very easy to protect yourself against. Here's a demonstration: $url = "http://corruptsecurity.net/chat.php?<?php file_put_contents() ?>"; echo "<html> <head> <title>Redirecting...</title> <meta http-equiv='Refresh' content='10;url=", htmlspecialchars($url), "'> </head> <body> <p>Redirecting you to <a href='", htmlspecialchars($url), "'>", htmlspecialchars($url), "</a>...</p> <script type='text/javascript'> window.setTimeout(function() { document.location = ", json_encode((string)$url), "; }, 3000); </script> </body> </html>";

preg_match() has to do with regular expressions. It's not a solution to a particular problem but a tool you can use, so using it "properly" depends on what you're using it for. You could use it to validate simple things like usernames or complex things like URLs. Explain what "detect characters or keywords in the local URL" means.

What does phpinfo() say regarding "mbstring"? It also shows the php.ini file it's using at the top so make sure you were editing the right one.

The global variable. Functions have arguments and return values and you should be using them, not creating global variables that magically exist without any obvious indication as to why or how.

Use your first bit of code but make the login button be a plain button (eg, type=button) instead of a submit button.

It's poor code, but it's not necessarily less safe.

And so function fetch($url, $the_id = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); // Send authorization header with the CJ ID. Without this, the query won't work curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: '.$the_id)); $result = curl_exec($ch); curl_close($ch); // Put the results to an object $resultXML = simplexml_load_string($result) or die("Error: Cannot create object"); foreach($resultXML->things->children() as $thing) { echo $thing->something; echo $thing->another_thing; } } fetch($url, $the_id);does not work? Or are you trying function fetch($url, $the_id = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); // Send authorization header with the CJ ID. Without this, the query won't work curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: '.$the_id)); $result = curl_exec($ch); curl_close($ch); // Put the results to an object return simplexml_load_string($result) or die("Error: Cannot create object"); } $resultXML = fetch($url, $the_id); foreach($resultXML->things->children() as $thing) { echo $thing->something; echo $thing->another_thing; }Or else what is your complete code that isn't working?