kicken

"The Net" was decent. It's about a freelance programmer who winds up in the middle of a large conspiracy when someone sends her a program to debug. Aside from the mentioned stuff nothing else really comes to mind. On a non-movie front, "The IT Crowd" was a pretty good sitcom.

PHP has a built-in Zip extension for creating and also extracting zip archives. I've only doing basic testing with it a couple times (when people posted a problem involving it). I never had an issue with any of the archives it generated on my windows or Linux machines. Your users may just be getting a corrupt download due to a network problem/filter or some other thing out of your (and maybe their) control. You would need to have them send you a copy of the zipfile in question to check it for that. On an older site I used to develop for we allowed people to download zip's of some content. We would get complaints from time to time about the download not working. What it turned out to be was the server killing the download after 90 seconds, so users on a slower connection trying to download a large zip would have problems.

Your site appears to just silently truncate a username if it is over the max. You should show an error instead, otherwise users will think they registered using the name they entered and wonder why the login doesn't work later. Having a maximum on password length is unnecessary. You should be hashing the passwords if you are not. If you are the hashing process should reduce them to a predictable length regardless of the original length of the password.

The way you wrote your setTimeout calls, you are telling JS to "execute the slider function NOW, then register what it returns to be executed LATER". To run the slider function later, you need to wrap it in another function. You can just use an anonymous function for that: setTimeout(function(){ slider('panel1'); }, 400); setTimeout(function(){ slider('panel2'); }, 800); setTimeout(function(){ slider('panel3'); }, 1200);

You're loop for while($pq = mysql_fetch_assoc($pqresult)) is only going to run through the results on the first iteration of the outer loop. For each additional iteration that inner loop will be skipped because mysql_fetch_assoc will return false (all the rows got consumed already in the first iteration). For that code to work as you're expecting, you'd have to repeat the select query on each loop iteration, which is a terrible thing to do and will cause major performance problems. The better way to handle this would be to use a JOIN on your tables and only run a single query that gives you all the data you need. If you post your table structures someone can probably help you come up with the proper query.

I never actually took the web development (html) class that was offered at my college but I did sit in on a couple days with a friend who was in it. From what I'd heard from my friend and observed those days, that class was a bit of a joke too. Pretty much everything was done in dreamweaver. They did at least try and teach the actual HTML codes but could have done way better. Of the two days I was there, one was about how to use the <font> tag to style up your text (which they even used incorrectly). The other was all about how to use a table to create a layout. Now I gather one may want to note things like that as people may dealing with legacy code and all, but they were teaching it like it was the proper way to go about accomplishing those tasks. I was able to at least straighten out my friend, teaching them better practices and filling in the gaps in their HTML knowledge but it made me feel sorry for all the other students.

Blocking the testing tool is not the way to pass the test. You pass the test by fixing your site so that it is not vulnerable to XSS anymore. You need to make sure you use htmlentities() when you output user-entered data.

The (include_path='.:/usr/share/pear:/usr/share/php53/pear') part of the error message is just informational, it is letting you know what the include path is at the point in time when PHP tried to find that file. It's not telling you to add it to your script or change it. The issue is that for some reason PHP is unable to open the requested file. Either it can't be found (wrong path, or maybe deleted) or there is a permissions problem. The first step is to make sure the file exists. My guess would be PHP is expecting to find it at /webroot/c/r/creat031/primary/www/cms/Connections/ccgifts.php

That is because they are both wrong. You don't end a list with a comma. It only goes between items: a, b, c, d, <- not correct a, b, c, d <- correct Hence why you were told to: Not replace it with a semi-colon. Where you got that idea from I have no idea.

The only two "security" related issues regarding the function have been addressed: - is_numeric allows more than you want, so use ctype_digit - You are returning too early, and thus possibly not checking all entries You should have a return false; at the end of the function (incase the !empty condition is false), but it won't cause any type of "security" problems either. One can't really talk about whether something is "secure" or not by just looking at one function. whether something is secure isn't just about how well you do or don't validate input data, it's about the entire process of how the data is used.

You can't just stick raw image data into an <img> tag. You would have to write the decoded data ($imgDecoded) to a file, then reference that file in the <img> tag.

It doesn't exist already on the system (typically). The command I referenced above will download it from the package distribution site and then install it. As I mentioned too, that command is for Ubuntu, I'm not sure if it will work on Debian or not as I've not used that distro. The reason why you can have cURL enabled in PHP but not have the command is because there are two parts. cURL is mainly a library, which means it is just a bit of software you plug-in to another program to enable certain functionality. In order to use a library you have to have an executable file to run that makes use of that library. When a project develops a library, they will typically include a small executable that uses the library, either for testing or for general use. Package maintainers for the systems will typically separate the library files from the executable files, allowing you to install them separately. They do this because you may need the library for a different program, but not need the executable. For example, PHP needs the library for cURL to use it. PHP doesn't need the executable file though so there is no reason really to install it. sudo is part of a base install for ubuntu, it may not be in Debian. If you have root access you do not need to use sudo, just run the apt-get install curl directly. The sudo command is used for running another command as root (kind of like the 'Run as Administrator' option in windows, if you're familiar with that).

Enabling curl in PHP only requires the libraries for curl, not the binaries which is what you'd need to run curl from the command line. You'll have to install the curl package for that before you can use them. sudo apt-get install curl would install it for ubuntu. I'm not familiar with any other distros.

Calling a not-declared-static method statically not causing an error is a backward compatibility thing I know (for older php4 code). Why they chose to import $this from a different context thought I don't know. Maybe php4 behaved like that, I've never tried it. Someone certainly might be confused by the behavior if they are not running with full error reporting. At least it handles the context right w/ respect to private/protected members and disallows access.

Those queries could all be replaced by the following two queries: mysql_query(" UPDATE users u INNER JOIN user_equipment e ON e.id=$id SET attack=u.attack-e.attack , max_attacks=u.max_attacks-e.max_attacks , attacks_per_day_on_a_person=u.attacks_per_day_on_a_person-e.attack_cap , hp=u.hp-e.hp , exp_per_turn=u.exp_per_turn-e.exp_per_hour , attacks_per_turn=u.attacks_per_turn-e.attacks_per_hour WHERE u.id=$owner "); mysql_query(" UPDATE user_equipment SET equipped='N' WHERE id=$id AND owner=$owner "); The first takes care of updating all the stats fields on the users table by removing the values based on the user_equipment table. There is no need to select them first, you can just JOIN with the appropriate row and do the math in the query. The second then sets the equipped flag to N for the specified item. For equipping an item you'd just reverse the process.

You'd probably be better off using that disk space to store a .sql file backup of the whole database. If anything happens to the database you can restore it from one of the backup sql files and be on your way again rather than having to try and import a bunch of text or html files you wrote out.

When you move your mouse from the first span to the second, you are going to be triggering the onmouseout event of the first span (hiding the span) and the following it up with the onmouseover which re-shows it (assuming you move the mouse fast enough to trigger both). What you need to do is add a delay in the hiding, and cancel the hiding if the user mouses over the second span. Something like this: var timer=null; var span1=document.getElementById('label'); var span2=document.getElementById('box'); function showPopup(){ span2.style.display = ''; if (timer){ clearTimeout(timer); timer = null; } } function hidePopup(){ timer = setTimeout(function(){ span2.style.display='none'; }, 250); //Will hide the div in .25 seconds, unless canceled above first. } <span id="label" onmouseover="showPopup()" onmouseout="hidePopup();">Box event</span> <span id="box" style="position:absolute; display:none" onmouseover="showPopup();" onmouseout="hidePopup();"> <table> -- TABLE_CODE_HERE </table> </span> That will cause the hiding of the span to be delayed by .25 seconds (you could adjust as necessary) which gives a small amount of time for the popup span's onmouseover event to fire which will cancel the hiding of the span.

That is your immediate error problem. Remove the extra comma. Don't you already have the ID number in $_POST['form_id'], which you've saved to the variable $id?

Looks the same to me regardless of if the font is downloaded or already installed. Above the blue line is before I installed the font locally. Below the blue line is after. I can't see any difference between the two. As mentioned photoshop may be doing something to it like aliasing that is making you think it looks better than it does.

look into call_user_func_array

You can use + with array's. I always forget it's not the same as array_merge though, it's a union. array_merge is what you'd need here. $symbols = array(); //WHITELIST OF SYMBOLS $symbols = array_merge($symbols, range('a', 'z')); // Lowercase A to Z $symbols = array_merge($symbols, range('A', 'Z')); // Uppercase A to Z $symbols = array_merge($symbols, range('0', '9')); // Numbers 0 to 9 $symbols[] = '>'; // Greater Than or Open Angle Bracket $symbols[] = '<'; // Less Than or Close Angle Bracket print_r($symbols);

Vulnerability testing is all about doing the illogical. The things the programmer probably never thought of and did not test for. That is where a hacker is going to find their way into your systems and wreak havoc. That's one of the mindsets you need to get into while programming and testing. As well as the mindset of a clueless user and the mindset of a cat walking across the keyboard (as in make sure a 2k-char-long string of "ap]342]345o325t\34r5q324iour9ajr3]214r2it..." doesn't cause problems), to name a few.

Those lines are wrong. session_register is a function, not an array. The recommended way to store a session variable is by setting it in $_SESSION though, there is no need for session_register at all. $_SESSION['id'] = $d['id']; $_SESSION['access_level'] = $d['access_level'];

You could avoid listing them out by-hand by using the range function: $symbols = array(); //WHITELIST OF SYMBOLS $symbols += range('a', 'z'); // Lowercase A to Z $symbols += range('A', 'Z'); // Uppercase A to Z $symbols += range('0', '9'); // Numbers 0 to 9 $symbols[] = '>'; // Greater Than or Open Angle Bracket $symbols[] = '<'; // Less Than or Close Angle Bracket ...

var_dump(bin2hex($string)); That will give you the string encoded as hexdecimal digits, so you can see what exactly is between those p tags.