requinix

That one person. I thought you were trying to change the code to handle multiple jobs from multiple people?

There are a few problems but mostly it's $earningsformatted = number_format($earnings, 2);You overwrite $earningsformatted every time. You're doing a database query to get these numbers, right? Right. If you want the total then you should make that query return to you the total. So you don't have to do it yourself. If you're not sure how then we'll need to see the query to tell you how it should change.

One more typo: $path= file_get_contents('core/files/'.{$row['$file_name']});Too many $s. Get rid of the unnecessary {}s while you're there.

The session ones. While you're at it, why not check all settings? phpinfo can help.

Looks like the hashes don't match. Are you sure the data is in the session in the first place?

Where are $hash and $tstamp coming from?

Unless your thumbnail generator destroyed it, the temporary file is still there.

You're asking why everything seems to be working up until the point that it doesn't work? As I said, offsets and those functions work on individual bytes. Characters in UTF-8 strings can be one byte (like in most of those names) but they could be up to four bytes. The code will break on strings that have any of those.

Those are the request headers. You need to look at the response headers. They'll start with "HTTP/1.1 200 OK" (probably).

$iThat does not make sense. strlen() gives you the number of bytes in the string, and then you utf8_decode() that number? With multibyte strings you cannot use functions like strlen() or even use offsets, like [$i]. You also should not be utf8_decode()ing the string because what actually happens is PHP converts it from UTF-8 to ISO 8859-1 and you'll lose characters. The whole function needs to be rewritten. Can't use strlen, substr, offsets, utf8_decode... Think you can handle that?

= is available in PHP 5.4+ regardless of settings. If it doesn't work then you're using 5.3 (or earlier) and you need to upgrade.

That is not possible.

Alright. First off, please stop saying "IP". This has absolutely nothing to do with IP addresses... unless... Exactly what are you entering? An IP address? Or a user-agent string? If you're thinking that you can enter an IP address and detect their operating system, you are very wrong.

You keep saying IP address but I don't think that's what you mean. Are you saying you want to get the value of $user_agent from the user instead of $_SERVER?

$hook, the variable, as shown in that one line of code I posted a few days ago, works just fine. At the moment that's all I care about. Output it immediately. Use echo, or print, or whatever else you'd like. Then the script will fatal, yes, but that's okay because it outputted the value of $hook before that happened.

[edit] It should be "inline", not "attachment". Big oops. [/edit] How to use the Network Panel You need to see the response headers for the page. That means opening up the network panel thing, reloading the page, clicking on the request for the page (and not for an image or something else), and reading the headers.

If you're not sure then the best way to find out would be to output it. $hook will be a string so you don't have to do anything special to it first.

If you can use .htaccess files then put one in the uploads folder containing Header set Content-Disposition attachmentIf your browser still doesn't show the doc, or other file, inline then there's nothing else you can do - short of verifying that the Content-Disposition header was present in the response (using whatever tool you like).

I had a reply drafted for that other thread. Guess I didn't send it. XSS is always fixable. You might be using something like PHP_SELF in... I don't know, is that a ? For a form specifically you can leave the action empty to have the page post back to itself, but if you must use it then you should htmlspecialchars() the value so the quotation mark they embedded in the URL (%22) doesn't break your HTML and thus lead to XSS. Post the code for whatever generates the HTML that the XSS is exploiting (so put that in your browser, do a View Source on the page, and see where it's being outputted) and it'll take all of a few seconds to correct it. The problem with things like X-Content-Security-Policy is they rely on browser support - IE being the problem child, as always. You can return it if you wish but you still have to do everything else.

Concatenate the values, but that can mess up the matching if it tests for something that starts in one value and bleeds over into the other. Which is why I was saying not to do it. I had remembered doing URL matching against the REQUEST_URI specifically, including matching stuff in the query string, but I guess I was doing that in PHP code rather than using mod_rewrite. So... no. ...and fix the injection point. Because I guarantee you that you won't be able to protect against everything an attacker can dream up by using just mod_rewrite.

Because your server is telling the browser to do a download and/or your browser is not capable of showing the doc. Do you want all files in /upload/ to always show inside the browser? Never download? Are you using Apache?

It's possible but there's no good reason why you should. Stick with the [OR]ed solution because it's much easier to understand and work with. [edit] You do know REQUEST_URI will include the query string, right? What is it that you're testing that needs both? Or at the very least needs REQUEST_URI instead of just using RewriteRule?

You're using IIS so you don't have a .htaccess. Unless you managed to post in the complete opposite forum than you should have. How to redirect in IIS

You cannot do both a download and a redirect. The general workaround is to redirect first, then "redirect" to the download. Couple ways you could do that but the one I'd go for is: 1. POST to the same place as before, generate the PDF, and store it somewhere temporarily with a unique identifier 2. Redirect to the new_page.html with something in the session or query string indicating the PDF to download 3. Have new_page.html do a client-side redirect (eg, a or Javascript) to the download location

Unless your own hardware isn't enough, in which case cheap shared hosting probably won't be able to give you the performance you want, then you could just run the stuff on your own computer. MAMP/WAMP/XAMPP are all more-or-less self-contained packages of everything that you need. It's free, reliable (depending how much you want to fiddle with it), fast, runs whatever version of PHP you want for the most part... You do lose out on support but there's a lot available on the internet to help with that.