cssfreakie

no you don't append the article name to $_SERVER['SCRIPT_NAME'] This is php you can do that. $var = $_SERVER['SCRIPT_NAME'].'/'.$articleid; small tip: Just echo these $_SERVER variables out and see what they are. Like $_SERVER['PHP_SELF'] $_SERVER['SCRIPT_NAME'] $_SERVER['SCRIPT_FILENAME'] $_SERVER['REQUEST_URL'] etc

nevermind Voip linked it edit: ps, you using short tags on this: <? //Build Date: 2011-08-14 10:13am ?> Depending on the settings that will or will not be executed and just be output as is. Don't use short tags unless you did it on purpose.

In normal business you go to a lawyer explain your situation and let him make one. But I bet there are some standard ones out there.

edit: in addition to darkfreaks debbie, use $_SERVER['SCRIPT_NAME'] REQUEST_URL has the exact same flaws.... it can be altered, and thus not be trusted as is. BTW, I think I already explained what htmlspecialchars and htmlentities do in another topic yesterday. But here goes again. So pay attention Anything that comes from outside (userinput), Like $_POST, $_GET $_COOKIE, but also REQUEST_URL etcetera are subject to injection. In case you want to output stuff. You want to prevent that someone can inject for instance javascript in the browser. Run this in your browser to see a simple thing you don't want to allow your users. <script>alert('xss')</script> If you look in the manual you will see (if you did) that htmlspecialchars and htmlentities will convert certain characters in to htmlentities, and infact taking away their meaning. So if you would run this $string = '<script>alert('xss')</script>'; echo $string; you will get a pop up. If you run it through htmlspecialchars or htmlentities you wont. (why....? answer is already given) $string = '<script>alert('xss')</script>'; echo htmlspecialchars($string); Run this and than view your source (right-click view source in your browser) you will see that for instance the < and the > are converted, making the javascript meaningless. infact you can't call it javascript anymore. Hope this helps. But as said earlier read the security tutorial here at phpfreaks. It will help a lot

Yes $_SERVER['PHP_SELF'] can not be trusted. (so if you use it use htmlspecialchars() on it or htmlentities() and than it is not dangerous anymore) but $_SERVER['SCRIPT_NAME'] can be trusted. p.s. the reason why $_SERVER['PHP_SELF'] is not save is because one can inject stuff in the part of your form action by appending javascript to the url

even if your not brave, or got blue paint on your face. Ajax is the way to go. HAve a look in to jquery ajax. Quite some tutorials out there and within an hour you should be able to do some simple stuff with it.

Did you read the sticky? got a reset.css? If so, do you have a link to your website, this little snippet is not enough

IE 8 shows good, As for IE 7 it doesn't You wan't to use conditional comments and set the property to overflow: for ie7 to #maincolbck {overflow:visible;} Just as a note. I don't know if you bought this template or you made it yourself. The use of !important will cause you headaches. And I also recommend you have a read on grid systems . Because this template structure is bloated.

It's meant to delay automated systems that are also able to register Besides that by letting them check their email you ensure the email address is good. And that the client marks it as friendly since he just registered, ensuring you can sent him emails without ending up in the bin.

You can change that with css. just expirement a bit and keep in mind elements like this have some standard background borders margins etc. You can change all that.

Use the right tool for the right moment. As already mentioned in this case strlen is far more efficient than using regex to accomplish exactly the same. I even saw some benchmarks to proof it. I assume when you had biology classes you weren't looking through a multimillion electromicroscoop just to see the cells better. A normal microscoop is good enough to see simple cel structures. If you like to learn regex, super! But keep in mind, anytime you ask for a regex people will respond here and say. 'why on earth do you need that, can't you use bla bla bla' because they want to help you. Using regex, because you like the looks of it is the same non argument to use a multitrilionzillionbillion costing microscoop for highschool biology classes. Rather say I want to learn it and I can't be arsed that it's inefficient. Stating that it is 'often' less thorough is incorrect Anyway regexes are useful so learn it but don't (ab)use it for such simple tasks

well ditch the link you have and use: <input type="submit" name="submit" value="submit this form" />

This topic has been moved to HTML Help. http://www.phpfreaks.com/forums/index.php?topic=342104.0

can you give a reason why it should do anything? I can't see one.. as for practical form submissions: wrap the form in <form> tags and place a submit button inside of it. <form action="action.php" method="post"> <input type="text" name="fatgorillas" value="" /> <input type="submit" name="submit" value="submit this form" /> </form>

Debbie, please reread the stuff above , and notice the difference between validating and sanitizing. Again DONT use regex if you don't need to. php has htmlspecialchars() and htmlentities for a reason. Just look up in the manual or for the sake of it any security guide. What you wont find there is regex. regex is used for instance to check if an email address is valid... But if you want to, please do I do not mind. Pretty much all examples are given and it should be clear now.

Ah i noticed a little error in my code, nothing big but to keep the input persistent even if the input is outside the min and max characters place the assignment for $title outside the success part of the clause like so. <?php if(isset($_POST['submit'])&& !empty($_POST['title'])){ // if pressed submit and the value is not empty //check title value. $title = htmlspecialchars($_POST['title']); // MOVED IT TO here to keep it persistent if(strlen($_POST['title'])<101 && strlen($_POST['title']) > 19){ // title between 19 and 101 characters //all is good }else{ echo 'title is either to long or to short'; } //check other stuff }else{ echo 'insert stuff'; } ?>

Het Nederlandstalige deel van de web designers is schijnbaar groot, internationaal gezien? [Eng.: Seemingly, the Dutch-speaking web designers form a great part of the international community?] VOC mentality

Well pretty much, yes. ALthough I assume you agree with me that you expect a different length for a title and a description than for the body of a message, right? So besides running stuff through htmlspecialchars() or htmlentities() (to prevent bad things) you probably also want to check for instance the length. But those have a different purpose. The first things is to prevent bad things, the second is to add for instance consistency or readability. as an example. Say I have the following wishlist: I want, - a description of max 150 characters and minimum 20 characters - a title of max 100 characters and minimum of 20 characters - a message of maximum 1000 characters minimum of 100 characters. We expect other things of them, But they all have atleast 1 thing in common We out put it, thus we must run it through either htmlentities() or htmlspecialchars to prevent bad things apart from our wishes to make it a certain length. (this is true for any user input) A little check for the title could look like this. (notice i only did the title one) <?php error_reporting(E_ALL); ini_set("display_errors", 1); header('Content-type: text/html; charset=utf-8'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <style type="text/css">label, textarea{display:block;}</style> </head> <body> <div id="wrapper"> <?php if(isset($_POST['submit'])&& !empty($_POST['title'])){ // if pressed submit and the value is not empty //check title value. if(strlen($_POST['title'])<101 && strlen($_POST['title']) > 19){ // title between 19 and 101 characters $title = htmlspecialchars($_POST['title']); }else{ echo 'title is either to long or to short'; } //check other stuff }else{ echo 'insert stuff'; } ?> <form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="post"> <p> <label for="title">Title:</label> <textarea id="title" name="title" rows="3" cols="50"><?php echo isset($title)? $title : ''; ?></textarea> <label for="description">Description:</label> <textarea id="description" name="description" rows="5" cols="100"></textarea> <label for="messagebody">Message:</label> <textarea id="messagebody" name="messagebody" rows="10" cols="100"></textarea> <input type="submit" name="submit" value="submit form" /> </p> </form> </div> </body> </html> P.s. IF you don't need to use regex, don't! it uses much more resources, and if you are not looking for a distinct pattern it's useless.

inside double quotes and a heredoc a backslash would suffice for instance: echo "lalala this \$variable will not work"; inside single quotes $ has no meaning

It actually outputs one thing, but that can make multiple requests, such as: images, css, javascript, flash, audio, video, xml, etc. exactly....! 1 chunk (aka one thing)...... And to keep it on the subject PHP does not affect the amount of requests, it's that chunk it outputs that does.

exactly! On insert IF you just use mysqli_real_escape_string (for strings) and type casting (for integers) on Insert in your database (or prepared statements) you're good to go on Output htmlspecialchars or htmlentities on output you're save against xss attacks (in all modern browsers, small exception for IE6 but that is a bit technical). validating Keep in mind though validating depends on what you expect. So if you expect a telephone number you are looking for digits and a certain length. IF your looking for an emailaddress you validate if it is an email. If your looking for a name you expect alpha characters. Feel the difference between validating and sanitizing ? Here is some more reading if you have nothing on your hands: https://www.owasp.org/index.php/Interpreter_Injection#PHP_specific_examples

If you want to allow people to leave a comment without performing a XSS (cross side script)attack. You don't need regex, but you need something like: htmlspecialchars(); or htmlentitities(); These two functions covert certain special characters into html entities so that they don't cause any harm (like javascript). for instance: <script>alert('boe');</script> will be converted into <scriptalert('boe');</script> If you look in the source code after executing the script with those functions you will see the html entities So there is no need to add some sort of super white list of characters.

Php is handled server side so http request are not and issue there. It outputs 1 chunk that is sent to the browser. If you want to find out how many http requests you make. Get an addon named YSlow for firefox or Chrome and run it. It will even tell you what you should do to optimize. as for performance have a read here: http://developer.yahoo.com/performance/rules.html

This is the css forum We also have a html, javascript server etc forum. And yeah all under the roof of phpfreaks

[sherlock holmes mode] Vlaams belgie? [/sherlock holmes mode]