QuickOldCar

I believe you want to use the $_SESSION['user'] versus $id for the redirect. if ($_SESSION['user']!='') {header("Location: affiliate-profile.php?id=".$_SESSION['user']);} Actually do you really need to pass the GET value to the script when can directly use their $_SESSION['user'] in the affiliate-profile.php script itself? Just send them to affiliate-profile.php and use the session values from there.

The whole checking for users online is a big resource hog, especially if have a lot of users online. Something like a last activity is fine in my opinion.

Is there a display_form() included in functions.php?

Feel free to ask any questions would like here, everyone has to start somewhere. May I suggest looking at the php manual if did not do so yet.

Most likely whoever isn't using responsive will eventually change their sites. A lot of sites made special "mobile" versions. The sites you mention are not very user friendly at all. Seems popularity does not matter for the best website award.

I agree with Jacques on this, just marking each users account attempted logins, not ip's You also have to consider if some clients all using the same ip from same building or households. It's fine if want to try and limit some excessive login attempts, but have to ensure those failed ones wipe out upon successful logins. Some people don't have that stable an internet connection, private browsing and clears every browser close.

I wrote this post over as my first one got lost due to browser opening a new tab, was not happy about that. I mentioned oauth which you may want to look into.

Am going to write a summarized version how can make an api with what you asked. Make a directory named api, in apache config create a new virtualhost for it Replace the word domain to yours and be sure to restart apache <VirtualHost *:80> ServerName api.domain.com DocumentRoot /var/www/api <Directory /var/www/api> Options +Indexes allow from all </Directory> </VirtualHost> If want ssl get a certificate and also add this, save your cert under ssl directory <VirtualHost api.domain.com:443> ServerName api.domain.com DocumentRoot /var/www/api <Directory /var/www/api> Options +Indexes allow from all </Directory> SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/api.domain.com.key SSLCertificateFile /etc/apache2/ssl/api.domain.com.cert SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </VirtualHost> Create an index file in the api directory, this will be used as your api front door (api.domain.com) The api will use REST and GET parameters or w/e CRUD design you come up with You should have a cms, user accounts. Create a system that generates public and private keys and ability to create new ones, save keys to a database each users account. Create a form that users can allow or deny ip's or domains,subdomains, save those to a database under that user or even script/service specific each users account. The client would connect over a http request They would be using GET parameters in the url Designate what script to access, the public or private key can determine or limit what that clients actions can perform...such as CREATE,EDIT,DELETE for private keys, the format type of the output, any other parameters needed. Obtain the clients ip $remote_ip = $_SERVER['REMOTE_ADDR']; if (strstr($remote_ip, ', ')) { $ips = explode(', ', $remote_ip); $remote_ip = $ips[0]; } Can do a query using the supplied access key to associate to that user and their allowed ip's or domains. Is the key valid? if not deny them, if so you now know the user If want to check a domain, can use gethostbyaddr and discover their domain. Is the ip or domain not in their allowed list or in a disallow list? if so deny them Can place any additional checks you want into this, such as a credits system, suspended,banned and so on. You would hold all the data in an array, doing checks as you go along, if is an error then deny access, can show whatever messages desire in the output. Through the api you can use various header fields You can do multiple format outputs as a GET parameter, setting json as default if does not exist in url Here is an example how I do mine: //check format if (isset($_GET['format']) && trim($_GET['format']) != '') { $format = trim($_GET['format']); } else { $format = "json"; } $format_array = array( "json", "xml", "html", "iframe" ); if (!in_array($format, $format_array)) { $errors['format'] = "Improper format used"; $format = "json"; } I incorporate a few switches, one to determine which script to include depending the service required via url Another switch would be to determine the header type for output switch ($format) { case 'json': header('Content-Type: application/json; charset=utf-8'); echo json_encode(array( 'data' => $array ),true); break; case 'xml': header('Content-Type: text/xml; charset=utf-8'); //build your xml document and tree structure break; case 'html': //create html document and data break; case 'iframe': //show iframe content break; } If all checks passed the appropriate script would be included, should not allow any other domain to access it unless was allowed by that user. Tracking and usage can be added by a simple hit counter if all the checks passed and actually used.

http://www.facebook.com/externalhit_uatext.php is facebooks bot, at one point in time that file most likely existed and is looking for it.

I see some quote issues, “ and ” versus being "

I agree with Jacques. A good way is to save items in a database such as a section or category, article id's or as pretty/safe slugs Using a properly set up relational database to handle what gets shown and when. For instance when selecting a certain "page" you do a query and get all it's related "subpages" What you should have is an index page with a loop of possible "subpages", if and when the GET value is set for "subpage" it should include a single view code or script of just that "subpages" content. Sometimes I create a whitelist array of the pages allowed, other times I'll fetch the required page name from a database because would exist as a dynamic value. You could try doing something like this to simplify your if's if (isset($_GET['page']) && trim($_GET['page']) !='') { $page = $_GET['page']; } else { $page = "home"; } $script = dirname(__FILE__) . DIRECTORY_SEPARATOR . $page . ".php"; if (file_exists($script)) { require_once($script); } else { echo "Page does not exist"; } Then you can check for $_GET['subquery'] within each script

It appears to be on their end, could be their internet speed and the item times out, some plugin they use in the browser or maybe an antivirus. Just for a wild guess have them try disabling ipv6 in their network adapter, I've seen issues relating to it.

It's a public function that accesses a class to return specific results anywhere you need to.

Can do it like this if want $log = "SELECT username, password, type FROM username WHERE username = '".mysqli_real_escape_string($Garydb,$username)."' AND WHERE password = '".mysqli_real_escape_string($Garydb,$password)."'"; Should really look over the links and suggestions

Is so many things wrong with this code is not worth fixing. I'll list some items wrong or bad with it. can't use header() after there is any output on the page start your session top of the script mysql_* functions are deprecated use mysqli and mysqli_real_escape_string or pdo with prepared statements use password_hash and password_verify upon verifying the user and their hashed password, set the appropriate users id or name plus users rights in a session, from then on can use and check from the session values You can do a users rights in the database 1-9 and the highest being admin with lesser permissions as go lower I have a simple example of user rights in this post keep all the coding logic up top and display html down below could be using html5 You are better off looking on the net and find a tutorial using pdo, password_hash and sessions

Use the code button <> We don't need to see the numbers, we can put it in our editors and see if wanted to.

Is username the name of the table? WHERE is needed first time, then after that is just AND $log = "SELECT username, password, type FROM username WHERE username = '".$username."' AND password = '".$password."'"; This leaves you open to sql attacks, nothing is escaped Look into using mysqli_real_escape_string or pdo with prepared statements, password_hash and password_verify The raw passwords should never be stored anywhere and be hashed instead.

For server includes is no need for the protocol, you can link to local files. Additionally can link to css,images and such within the html using absolute url without a protocol <img src="//mysite.com/image.png" /> Check out some server variables can use A while ago I babbled on a bit about the differences in a post, take a look. http://forums.phpfreaks.com/topic/292789-paths-when-rewriting-urls/?p=1498045

A lot of coders post multiple forums, doesn't matter where you got help, it matters if that person was willing

Personal information was hidden.

Hard to say because do not see the rest of the code for all your includes. //This part does nothing useful as is $queryCases = array("location","Jqualify"); if(in_array($k,$queryCases)) { } switch($k) { case "location": $location = $v;//why define this as $v and not use it $searchCondition .= " where location LIKE '" . $v . "%'"; break; case "Jqualify": $Jqualify = $v;//why define this as $v and not use it if(strlen($searchCondition)>1){ $searchCondition .= " and Jqualify LIKE '" . $v . "%'"; }else{ $searchCondition .= " where Jqualify LIKE '" . $v . "%'"; } break; } echo out the value of $searchCondition do a var_dump() on $userList and post it here

Also useful is $_SERVER['DOCUMENT_ROOT'] or dirname(__FILE__) . DIRECTORY_SEPARATOR

The forum is for helping with code and not making it. If you do not know how to code should find a plugin or hire someone who can. Personally I would make a secure api or a script using GET parameters outside the wordpress loop. Only specific things can access it, anything can be passed via email so really need to sanitize/filter/escape and check it's exact data types are that you expect. Direct insertions into a database. Look into some functions and plugins made to do this. https://codex.wordpress.org/Post_to_your_blog_using_email https://wordpress.org/plugins/postie/ https://wordpress.org/plugins/post-by-email/ http://www.wpexplorer.com/publish-wordpress-posts-email/

The index view would be the limited list of content and linking to a href each one either by it's id or "safe for urls" post slug The pagination of that is different entirely where page 1 would be a limit of say 0-19 records, then each +1 increment page number is +20 records You could do pagination for single post pages too if wanted to split huge data or is a multiple part data. Such as you saying including their files. You should just rely on the id of the record and add the title sanitized at the end just for seo purposes, the title portion would never be required and extra at the end. If you save posts as sanitized slugs in a database can make single pages linked directly to that. Trust me is better off linking to an id, especially same multiple titles and if need to edit those titles in the future changes the location. Using an autoincrement id will ensure are seeing only that record. Do all the processing up top. Determine if is a single page or the index. Perform your query up top so can use that same returned data for seo and also later on for any checking and also the html content. Inject the opengraph and meta data in the head section of the html If a url contains something specific to identify a single page you include either a different script or is coded in the same script using if/else or a switch

You are better off sticking to password_hash and password_verify Set users in a session as name or id. As for remember me just store a token in a cookie for that user and check if exists, if does exist then set the session name that user