kicken

Your XSS vulnerability is still there.

The value you give Redirect is just a prefix, so if you wanted to redirect everything under http://www.domain.com/abc/ you can just do Redirect 301 /abc/ http://www.domain.com Note however that if someone requested http://www.domain.com/abc/123/asdf.html, it will keep the part after the prefix and append it to the new url, so the redirect would attempt to send them to http://www.domain.com/123/asdf.html. To strip the value, you'll need to use mod_rewrite and a rewrite rule. That said, if that content does not exist anymore, a redirect like that is not what you want to send. You want to send a 410 (Gone) status so that the search engines will stop trying to access that URL and remove it. Sending a 410 makes it so you can't send a new location for the redirect also, but you could configure an ErrorDocument for 410 that will do a redirect using a meta refresh. ErrorDocument 410 /errors/410.html Redirect 410 /abc/ Then in /errors/410.html <html> <head> <title>410 Gone</title> <meta http-equiv="Refresh" content="5;url=http://www.example.com/"> </head> <body> <p>The document you requested has been removed. Please <a href="http://www.example.com/">return to the home page</a></p> </body> </html>

Something like this I am guessing is what you're looking for: SELECT * FROM contracts WHERE start_date >= '2012-1-1' AND COALESCE(end_date, NOW()) <= NOW() That will find any contracts who's start_date occurs after your target start date ('2012-1-1' in the example) and end date occurs before the target end date (the current time, in the example). For any contract with a NULL end date, it assumes the end_date is NOW().

Is the page this code is on within a popup itself? window.opener refers to the window that opened the current window. If the current window was not opened by a previous window, this value should be null/undefined which would cause the lines to error. If you want to reload the page which contains that code, you could just do window.focus(); window.location.reload(true);

Once you've saved the dates in a DATE/DATETIME/TIMESTAMP column as recommended, when you SELECT them back out you can format them for display purposes however you want using the DATE_FORMAT function.

The current working directory for your scripts is going to be whatever directory the initial entry point file is; in your case /home/208/public_html/account/ All your relative paths are going to be based on this directory. When you try and do chdir() in your header.php file you're asking to move into the community folder relative to the current directory. Since the current directory is /home/208/public_html/account/, it will attempt to change to /home/208/public_html/account/community/, hence the no such file/directory error. You shouldn't really be messing with chdir anyway, there is generally no need to. Also you should attempt to use absolute paths as much as possible so it makes things clear where items are located. Note that using an absolute path doesn't mean hard-coding the path. There are plenty of constants/variables to use to determine the full path to a file. For example in your header.php, to include global.php you could use: require_once __DIR__.'/global.php'; __DIR__ is a magic constant which refers to the directory that the currently executing file is stored in. Since at the point of that require statement the currently executing file is header.php, __DIR__ will be defined as /home/208/public_html/essentials/includes. Note that __DIR__ requires php 5.3 or better, for lower versions you can use dirname(__FILE__) instead. As you already seem to know, there is also $_SERVER['DOCUMENT_ROOT'] which points to the root directory of your site. You can use that to generate a path to a file also.

Don't do that, just set them both to the same ID. The your joins become simple: SELECT jobs.job_number, jobs.brand, jobs.description, users.email FROM jobs INNER JOIN users addedBy on jobs.user_id = addedBy.id INNER JOIN users requestedBy ON jobs.request_other = requestedBy.id WHERE jobs.status !='live' ORDER BY jobs.brand ASC, jobs.date_created DESC If you need details on both who added it and who requested it. If you only need details on the requester then only join for that field. SELECT jobs.job_number, jobs.brand, jobs.description, users.email FROM jobs INNER JOIN users requestedBy ON jobs.request_other = requestedBy.id WHERE jobs.status !='live' ORDER BY jobs.brand ASC, jobs.date_created DESC

I generally find when doing something like this, rather than trying to subtract two dates, it's easier/better to subtract 60 days from 'now' and then compare to the db records. Eg: SELECT CASE WHEN (CURRENT_TIMESTAMP-INTERVAL 60 DAY) < logoffDateTime THEN 1 ELSE 0 END as isOlderThan60Days, ...

edit: What Jessica said, basically. there's an example. -- Unless your HTML/Form layout somehow prevents it, you could just do a separate form for each set also: <form action="blah"> <input type="hidden" name="name_of_customer" value="blah"> ...other hidden inputs for each detail <input type="submit" value="Send"> </form> <form action="blah"> <input type="hidden" name="name_of_customer" value="foo"> ...other hidden inputs for each detail <input type="submit" value="Send"> </form> <form action="blah"> <input type="hidden" name="name_of_customer" value="bar"> ...other hidden inputs for each detail <input type="submit" value="Send"> </form> Then the only details that would be submitted with the form are the one set, not all four.

Your questions are not very clear, but here's my best guess at answers Yes, you'd store the name of the file in your database somewhere so that you know which file to grab when you need it. To avoid the overwrite you need to either use separate directories, or alter the name of the file in some way. For example, add the user's ID# as a prefix so if they upload photo.png you'd rename it on save to 1479_photo.png.

There is nothing else. header() is how you do a redirect from within PHP. Your options are either re-structure your code so you can use header() or continue using a workaround like JS.

Someone could still just access that PHP file and download the mp3's via it, no different than accessing the files directly.

Are you delaying your script after issuing the lock? If not, once the script ends your connection to mysql will close and the lock will probably be released.

Your code didn't accomplish what you wanted. Other than that, it's fine.

Right now you are writting out your CSV data to a file. Rather than doing that you want to get that data as a string so that you can echo it out to the browser. One convinent way to do that is to use a temp file which you can open using the function tmpfile. That lets you still use fputcsv to generate the CSV contents easily w/o having to create a static file which could cause issues if two people tried to do a csv export at the same time. // create a file pointer connected to the output stream $output = tmpfile(); $len = 0; //Size of the csv data for use in a content-length header // output the column headings $len += fputcsv($output, array('Kataloski broj', 'VPC', 'MPC', 'Preporucena VPC'), ";"); // fetch the data $upit = "SELECT kataloski_broj, neto_VPC, neto_MPC, preporucena_VPC FROM kalkulacija_stavke WHERE id_kalkulacija = '$id_kalkulacije'"; $rows = mysql_query($upit) or die (mysql_error()); //funkcija za zamjenu . u , $find = '.'; $replace = ','; // loop over the rows, outputting them while ($row = mysql_fetch_assoc($rows)) { $text = str_replace($find, $replace, $row); $len += fputcsv($output, $text, ";"); } // output headers so that the file is downloaded rather than displayed header('Content-Type: application/csv'); header('Content-Disposition: attachment; filename="export.csv"'); header('Content-length: '.$len); //Output the generated csv data rewind($output); fpassthru($output); fclose($output); exit;

Wrong. All someone has to do is craft a special URL then send it out to people. Anyone who clicks that URL will then have that XSS problem. Someone can do quite a bit using XSS such as steal cookies, login information, personal details, etc. http://bit.ly/XD0BVC <- click there for a sample (edit: in a browser that won't save you, such as firefox).

You have XSS problem with your tags, eg: http://beta.tutalicious.com/app/ph%3Cimg%20src=%22.%22%20onerror=%22alert('hi');%22%3Ep. Chrome saves you by detecting it and striping it. Other browsers may not. You have an XSS problem with your signup form. For example enter: "> <img src="." onerror="alert('Hi!');"><b id=" for the username and mis-matching passwords to cause an error. The same issue is present if for the email field. The same XSS problem exists with your login form as well.

Sounds like you probably are going to want to setup replication to another server. Then you could probably split the read traffic off to the replicated copy and just have the writes go to the master. I've not used replication myself so I don't know much about the process.

A couple things: 1) ereg_* functions are deprecated, don't use them. Use preg_* instead 2) htmlentities() is generally all you really need to prevent XSS. XSS comes from when you echo back user-defined data and doing so allows them to modify the HTML code, such as injecting a script tag. htmlentities() will take care of that by converting special HTML characters with their entity values so they don't cause problems. So for example whenever you wanted to echo out $_GET['s'] on your page, instead you would do echo htmlentities($_GET['s']);. Lastly you shouldn't apply htmlentities prior to storing the data into your database. Instead store the data as-is then apply htmlentities when you output it to your page.

For SQL you only use a single = in a comparison: Count(tblTemp.LocationID) = '$nchecked' What's the exact error message?

Just define the column as a DECIMAL(8,3) type and then insert the number. CREATE TABLE blah ( num DECIMAL(8,3) ); INSERT INTO blah (num) VALUES (9999.999)

Since the menu uses the nested set model it's relatively easy to query for the parents of a menu item. Something like this would probably do: SELECT m.MenuId, m.Name, p.MenuId, p.Name FROM users u INNER JOIN groups g ON u.GroupId=g.GroupId INNER JOIN group_menu_items gm ON gm.GroupId=g.GroupId INNER JOIN menu m ON gm.MenuId=m.MenuId LEFT JOIN menu p ON m.lft BETWEEN p.lft AND p.rgt WHERE u.UserId=1 You'd probably need to do a little processing of the results within PHP to get them in whatever format the menu system's render function needs.

Have a table that associates the menu id's with the users (or groups) then just join to the menu table using that ID to pull the menu data. Eg: users: UserID | Username | GroupID -------------------------------------- 1 | Blah | 1 2 | Flarg | 2 groups: GroupID | Groupname ---------------------------- 1 | Admins 2 | Users group_menu_items: GroupId | MenuID -------------------------- 1 | 1 1 | 4 2 | 2 2 | 3 1 | 6 menu: MenuID | Name ---------------------- 1 | Manage Users 2 | Profile 3 | Invite 4 | Mass Email 6 | Bans SELECT m.Name FROM users u INNER JOIN groups g ON u.GroupId=g.GroupId INNER JOIN group_menu_items gm ON gm.GroupId=g.GroupId INNER JOIN menu m ON gm.MenuId=m.MenuId WHERE u.UserId=1

Either I'm not understanding where the issue is, or it seems to be solved. The menu fits within your container just fine when I put the code into a fiddle and look at it: http://jsfiddle.net/SeYFm/ Perhaps you should post a screenshot showing the problem so we can literally see it.

Use strpos to search for the value in the string. Be sure to read the docs, particularly the warning section.