requinix

I try not to link across forums but here is a fairly long list of ideas. Not all of them apply to PHP but it's a place to get some ideas.

It gets you partway. It's still possible for people to exploit events like Hover over me strip_tags() won't remove attributes. Best idea I've seen is to use strip_tags() to remove the tags you don't want, then DOM (eg, DOMDocument) to remove all attributes (except any ones you want to allow).

Actually it's quite good. I guess you mean to say that it won't work in your case. So why not?

If by "rich text" you mean one of those JavaScript editor things then, You don't have to use it: stuff will already be entity-encoded. If you're worried about disallowed HTML tags then strip_tags is a good start.

And exactly what change(s) did you make?

You misspelled the function name.

Its ID is "$joinId", not "SubQty".

What type of field is user_id?

Did you grab the SDK tools?

Use absolute links like Note the leading slashes.

You have to link to the new URLs, not the old ones. In order: probably, yes, and I'm not sure what you're asking but the answer is probably "yes" too.

onmouseout and onmouseleave are two different events. It's not jQuery's fault you didn't know the difference.

Cookies have a very important drawback: the user can see and edit them. Don't put sensitive information in them because if there's a vulnerability on your site then a malicious user might be able to grab that information from an innocent user. Also don't assume that what you put in there will stay intact because things like user IDs and privilege levels could be changed, and unless you verify that the information is correct then it cannot be trusted. (Just like $_GET and $_POST.) Also keep in mind that you can only have one value for the entire site, so storing form values (for example) means you could only remember the one form at a time. If you're considering using a cookie for something, think harder and about whether it would be better/more appropriate/safer in a session value instead. Under 99% of configurations, session values are stored on the server and thus safe from tampering.

Actually no. There are two types of variables: superglobal variables and normal variables. The superglobals are true "global" variables; they are $_POST, $_GET, $_SESSION, and the other similar $_ arrays. They are accessible absolutely everywhere. Note that you cannot define your own superglobals. Everything else is just a normal variable. There are two levels of variable scope: function (inside a function) and file (outside a function). When you define a variable in one it's available to everything else afterwards but only while in the same scope. Variables outside a function are not available inside a function, and vice versa. This also includes nested functions such as closures. There are three exceptions to these rules. 1. Inside a function you can access a variable defined in the file scope with the "global" keyword or the $GLOBALS array (which is a superglobal). This is strongly discouraged. 2. Class functions can access class variables by using $this. Technically this isn't an exception but it looks like one. 3. Closures (aka anonymous functions) can access variables defined immediately outside it with the "use" keyword. Classes could be called a third scope but IMO they aren't. To answer the question, A. Each time PHP starts executing the first file (that is, only the very first file and not any others that may be included) it starts from scratch, creates the few automatically-defined things (like $_POST and $_GET), and runs your code. So even if you defined a variable earlier you can't get it because it was "lost". If PHP were drawing on a whiteboard, it would draw variables and functions and all that and then erase the whole board when it was done. The next time it starts drawing it has a clean slate. Sessions can emulate the B option. It is not actually that: the variables aren't preserved across each script. What PHP does is have a special $_SESSION array and, when the script is done, it (separately) stores everything you put in there. When PHP executes the next file it looks up what it remembered and reconstructs $_SESSION.

You named four.

[edit] Nevermind that. Only thing I can think of is TTF support on the server. phpinfo() should include a section on GD: what does it say?

Okay, the alternative: Save the image somewhere and open it with Notepad (or some other text editor). Do you see any error messages?

...and the second-most important part is the echo at the bottom. But leave off the htmlspecialchars() part, that shouldn't be there.

Without the header() you should only be seeing the raw binary data. You should not be seeing any image at all.

Personally I prefer outputting the XML manually, but that's irrelevant. The most important part of xyph's example is the header(). Without it the browser will think the output is HTML. Which it isn't.

The time is calculated according to your server. Not according to where the user is. The only way it would be like that is if your code specifically altered the timezone PHP was using to calculate dates. gmdate("YmdHis") for starters, making sure that the timezone is the server's timezone and not the user's.

Comment out the header() and look for error messages.

This topic has been FUS RO DAHed to PHP Regex. http://www.phpfreaks.com/forums/index.php?topic=358571.0 (I've got Skyrim open on the other monitor)

You need a $ anchor to ensure the expression matches the entire string, rather than just an initial length of it.

The problem isn't that you're not using CSRF tokens, That is the problem. As a user I find it distressing when the person/people maintaining a site I use simply don't care. You just shrug off spam? That shows you have no interest in the health of the forum, and if you don't care then why should I?