requinix

Your use of XPath is right. Your use of DOMDocument is not. $doc->loadHTML(That loads an HTML string. You want loadHTMLFile which loads HTML from a location.

Nope. Was just a question about syntax.

OWASP is a good place to start, like their Top Ten Project listing the worst flaws for web applications.

Regular expressions? Take a walk on the wild side! $len = strcspn($string, "1234567890"); $left = substr($string, 0, $len); $right = substr($string, $len);Consider trim()ing the two values too.

Heredoc is a string. You don't put PHP code into it. $my_var = "The colour is red"; $my_var = <<<EOD The colour is red EOD; $colour = "red"; $my_var = <<<EOD The colour is $colour EOD;

You can't use smart quotes in HTML markup. Only straight quotes. Your browser is silently interpreting that HTML as The Americans with Disabilities Act was enacted in 1990 to establish the prohibition ...

Fix the exploit.

It is clearly not.

The Americans with Disabilities Act was enacted in 1990 to establish the prohibition ...Smart quotes.

Are you absolutely, definitely, 100% sure that is exactly how it is in the database? I don't think it is, partly because I can't help but notice that the screenshot shows something different from what you said. I think you have something more like

Two problems with your code. 1: Non-static method MDB2::connect() should not be called statically $this->db_connection = MDB2::connect(DB_DSN);2: Non-static method PEAR::isError() should not be called statically if (PEAR::isError($this->db_connection)) {Try fixing those (you probably want instances of those two objects) and see if that resolves all your problems - and makes all those Strict warnings go away.

Use both the ID and title. Otherwise you have to make sure the title is unique for every post (which, you know, it kinda should be) but you can do that easily enough by assigning each post a specific "title" just for the URL. As for people breaking your queries, you're doing something very wrong. Post your code.

Use usort with a function like function($a, $b) { list($a1, $a2) = explode("/", $a); list($b1, $b2) = explode("/", $b); return ($a1 != $b1 ? $a1 - $b1 : $a2 - $b2); }

Given how the quantity is used everywhere else in the script, you probably want echo $_SESSION['cart'][$row['id']]['quantity'];

The php5apache2_4.dll is for Apache 2.4. You are using Apache 2.2.

Don't worry about resources.

Ah, no extension. What I posted + dirname + basename().

For the filename, with or without extension, basename. For the path relative to /lalala/temp, substr($str, strlen("/lalala/temp/"))

So you have some sort of setup involving load balancing or proxies? How and from where are you accessing the server?

Ah. No, keep using mysql_real_escape_string(), but you have to connect to the database before you can use it. So move that include("includes/db.php");up higher in the script.

So are you saying that it does insert something but they're all blank values? And that you are not getting a "MySQL Error" every time you try?

They don't spell it out in the documentation for double-quoted strings, but they do for single-quoted. So the double-quoted string version would be

echo $idMissing a semicolon. It works in the first one because it's the last statement within the <?php block. It's not the last statement in the second one. echo ""1. Missing a semicolon. Yes, last statement, but do it anyway. 2. Strings

0x... is a way of getting a string into SQL without needing quotes. mysql> SELECT 0x5E252421, 0x4E554C4C, 0x2A5B7D2F, 0x25676F6F676C656D61696C2E25 ; +------------+------------+------------+------------------------------+ | 0x5E252421 | 0x4E554C4C | 0x2A5B7D2F | 0x25676F6F676C656D61696C2E25 | +------------+------------+------------+------------------------------+ | ^%$! | NULL | *[}/ | %googlemail.% | +------------+------------+------------+------------------------------+What they're doing there is trying to get IDs, emails, and passwords from the maver_user.users table. It's failing for a couple reasons: the number of fields doesn't match the rest of the query (6 in the first half, 1 in the second), and you probably don't have that table. The SQL injection is with the 56 in WHERE p.id = '56'

What I meant (which was entirely non-obvious, sorry) was that copying from a printed book means you have to type everything by hand. It's easy to make a typo. See if the book has a website where you can download the files. Would also save you a lot of time. How old is "that old"? - The __autoload function has been deprecated for a while now, in favor of that spl_autoload_register() I mentioned - Using __construct in the class is more recent, but there's no use of "accessibility modifiers": public, private, protected It's also bad form to use @s everywhere like that code does, as well as the global keyword, but that goes more toward the quality of the material than its age. It may very well be defined in that file, but that file needs to be required before it's available. And should be at the global scope - not inside a function or class. Which it looks like it is... except the line numbers don't match up? What's the current version of the file?