thcx

Yep, you put this stuff right before the code that you pasted: $w = mysql_real_escape_string($w); $cat = intval($cat); $district = intval($district); $type = intval($type); Then you find this line: $p = (!isset($_GET['p']) || $_GET['p'] <= 1 || $_GET['p'] > $num_pages) ? 1 : $_GET['p']; ..and insert one line afterwards: $p = intval($p);

Use mysql_real_escape_string() for the search string and intval() for the numeric data (districts, what page they're on etc). (Är du svensk?)

I'd put the magic in a function and do this: if (a csv file) { while(($data = fgetscv($handle, 0, ",")) != FALSE) { magic($data); } } else if (an xls file) { while ($data = parseXLS()) { magic($data); } } else die("unknown type\n");

If the theory of the field annoys you, it's a good idea to be more practical. Read up on the following types of webapp attacks and protect against them: * SQL Injection * Cross-Site Scripting * Command Line Injection * Remote/Local File Inclusion * Directory Traversal There are of course others, but I'd say that those are among the most important in PHP.

$url = preg_replace('%/index\.php\?%', '/admin.php?', $url); This changes one URL or string. If you want to do that over a whole file, you'll need to put it in a loop.

Try rawurlencode() instead of urlencode().

This looks a bit like XML. Have you tried parsing it with an XML parser?

Try giving the full path to the file in the fopen(). Also try setting "display_errors" to On in php.ini.

!preg_match('%(([0-9]{1,3}\.){3}[0-9]{1,3})\[0-9]{1,5})%', $sData, $aRegs) || !ip2long($aRegs[1])