l0gic

Come to think of it, I actually have this implemented in a game. One database handles all the logins. And then there's a database for each 'game world'/'realm' after that and you can hop between them. And each of those game worlds are populated with items from an item database. However I didn't do it on purpose to be more secure, that was just they way I could see it working when I developed it.

Well some people would look at a 'large' site and split their database into several smaller databases to handle each part of the site. For example, and online store with a forum might have: User Info: Containing user information like usernames, real names, contact information, personal details, etc. Shop: Containing products, product info, prices, comments, etc. Forums: Containing forum topics, posts and replies, etc. Purchases: Purchase history, invoices, orders, etc. I don't know if people still do it much like this, but imagine when you're users sign-in they have to authenticate themselves and set a session variable. Now they authenticate themselves using your database which also contains personal data, orders, etc.. They're all open to inject-type attacks. But if they're only authenticating to using a database that only stores login data and what-not then that type of attack has no direct path to those other details. Same as forum posts, the purchases database wouldn't be as easily attacked from an attack on the forum database. Following? Again, I don't know if this is widely used or not.. Maybe someone who worries about security more than I can chime in?

Well explode breaks a string into many array elements, and implode builds a string from array elements. Like so.. <?php $str = "1,2,3,4,5"; echo $str; // would display "1,2,3,4,5" $explodedstring = explode(",",$str); echo $explodedstring[0]; // would display the first array element in this case "1" echo $explodedstring[4]; // would display the fifth array element in this case "5" $implodedstring = implode("-",$explodedstring); echo $implodedstring; // would display "1-2-3-4-5" ?> More here: http://php.net/manual/en/function.explode.php http://php.net/manual/en/function.implode.php

Actually, it's a debit card.. But I guess "lots" still applies. Have you considered splitting your database?

Kinda walked into that didn't I? See what Santa brings you.

Looking into it more mcrypt would be the way to go if you really wanted to do this. I can't say I've ever come across the need to do it though. And your users should be aware of what the send via private message, it comes back to that common sense thing. For example, Scootstah might PM me asking if he can use my credit card to buy something. I wouldn't reply saying "Yeah, of course my CC number is 5402........... etc" I'd just say yes, that it could be arranged.

Right.. Carry on.. I'm off to the pub.

Fair enough, I'll retract my previous statements with the exception of... "Personally I'd just be pickier about who can see the DB."

Yes, but seeing is not the same as reading. And if anyone browsing the DB through say PhpMyAdmin or an SQL dump has the ability to decode that in their mind, then they deserve to be able to read it.. If they have the ability to pull it out and use base64_decode() then it wasn't worth doing in the first place. Common sense is usually secure enough. If people shouldn't be able to see things, don't give them the means to see things.

Well, try this.. <?php $str = "This is an encoded string"; echo base64_encode($str); // Should output VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw== ?> So.. <?php $str = "This is an encoded string"; echo "Original: " $str . "<br>\n"; $str = base64_encode($str); echo "Encoded: " $str . "<br>\n"; echo "Decoded: " base64_decode($str) . "<br>\n"; ?> Pretty much copy/pasted from: http://php.net/manual/en/function.base64-encode.php http://php.net/manual/en/function.base64-decode.php Personally I'd just be pickier about who can see the DB. Edit: Fixed my error in second lot of code.

Are your menu items pulled from a database? If so using SORT in your queries may help.

So, why not just use.. if($_SESSION['loggedOut']) == true) { $returnToPage = "/index.php";} }else { $returnToPage = $_SESSION['returnToPage']; } ..on each page?

Why have they gone from a database to a flat file? Seems like a bit of a backwards step! Looking at this from my iPhone, so I can't really test anything but it looks like its still trying to use MySQL?

... else if(strlen($_POST["username"]) >= 5 && strlen($_POST["username"]) <= 10){ ... ..?

To re-cap on my previous post.. (was from my iPhone, very tedious to post code from!) $body = "<table>\n" $body .= "<tr><td colspan=\"2\">A website error has occurred...</td></tr>\n"; $body .= "<tr><td>Date:</td><td>" . date('Y-m-d g:i:sa', time()) ."</td></tr>\n"; $body .= "<tr><td>Results Code:</td><td>" . $resultsCode . "</td></tr>\n"; $body .= "<tr><td>Error Page:</td><td>" . $errorPage . "</td></tr>\n"; $body .= "<tr><td>Member ID:</td><td>" . $memberID . "</td></tr>\n"; $body .= "<tr><td>IP Address:</td><td>" . $ip . "</td></tr>\n"; $body .= "<tr><td>Host Name:</td><td>" . $hostName . "</td></tr>\n"; $body .= "</table>\n"

You don't need to use CSS for an HTML table.

Your users email address can only be changed by the owner who has already logged in proving and confirming their credentials, right? If so your system is working fine. If not, and you're worried that the person who has managed to log-in to change said users password may be tempted to do it again in future. Well there's nothing you can do really. If the user has logged in they've already satisfied your script with the correct login name and password, changing the hash won't matter.. For example, if my password is "bobbob7" and I log in to your site and change my email address, if you then want to change my salt/hash it isn't going to change my password that I type in, I will still use "bobbob7" next time I log in. I understand you want to be secure but I also believe that what you want to do here is pointless. If you did this, where would your security stop? Next thing you know when a user wants to log in they will have to call you to come over and watch them log in just so you know it's them..? Maybe you can explain your thought process on this some more?

Refer: http://www.phpfreaks.com/forums/index.php?topic=355645.msg1680476#msg1680476 Also sounds like you're storing integers as strings in your database. You may want to check your storing as INT, etc.

Did your host tell you that? - 0% is no CPU usage and 100% is max CPU usage. Unless your PHP is somehow physically adding several more CPUs to their server that's a fair way from being right. Well, I'm pretty sure you shouldn't have '&&' in your query but rather 'AND' so: DELETE FROM ws_bi2_cup_matches WHERE matchno='5' AND type='gs' AND ladID='0' AND 1on1='1'; Also if 'matchno', 'ladID' and '1on1' are store as integers in your database you shouldn't need to be surrounding them with single-quotes so: DELETE FROM ws_bi2_cup_matches WHERE matchno=5 AND type='gs' AND ladID=0 AND 1on1=1; Try to run a: REPAIR TABLE ws_bi2_cup_matches;

If you're only having up to 99 things then pad 1-9 with a leading zero. 01, 02 .... 09, 10, 11, etc.. If you're having up to say 999 then pad more. 001, 002 .... 099, 100, 101, etc That should fix it. There may be other ways aswell, but I'd just do ^ that.

If all 'parents' have the a parent_id of 0 then it's quite an easy.. if(parent_id == 0) { // Parent }else { // Title }

In the past I've used a various sitemap generating software. Not sure how dynamic you want this to be, but it may be worth jumping on Google and doing a search for a Sitemap Generator?

Ok, so I'm pretty sure you just took the code I posted above and copy/pasted it expecting it to work without reading any of the comments or filling several needed details like the name or address of your MySQL server, user credentials and even the database you're trying to connect to. It doesn't quite work like that, as smart as computers are they aren't quite capable of mind reading and completing tasks based off of ideas you have. You will need to give them instructions and details. You tell it to stand infront of a bus and it will, you tell it to move if a bus is coming and it will. Tell it nothing and there is no bus, no standing, no staying nor moving. Think of the code I pasted as a template. $server = ""; // Enter your MYSQL server name/address between quotes $username = ""; // Your MYSQL username between quotes $password = ""; // Your MYSQL password between quotes $database = ""; // Your MYSQL database between quotes Now enter your own details into it. $server = "localhost"; // My server is localhost, as it's my dev machine $username = "testuser"; // My username to coonect to my MySQL is testuser $password = "testpass"; // My username to coonect to my MySQL is testpass $database = "testdb"; // My database is called testdb Please do note that there is a very hight chance that your details there will be different to mine, so you will need to fill them out. May I suggest some reading: http://www.w3schools.com/php/php_mysql_intro.asp

Well, you either need to change what the form is sending when it's blank before it sends. Or check what it's sending is a number when your above code recieves it. One solution: ... if(isset($_POST['submitbtn']) && is_int($_POST['month']) && is_int($_POST['day']) && is_int($_POST['year'])){ // do stuff }else { // don't do stuff } ...

So I believe you're passing the wrong data through your form on the previous page. Should be sending through something like: 05 - 29 - 1983