scootstah

No, because Apache does not treat an image like PHP. If you accessed the malicious image through a normal URL, it would load just like any other image and that's it. Yes, it's possible to carry out an XSS exploit with CSS. It would need to be sanitized. What overhead are you referring to? If you mean performance, well then Twig has very minimal overhead. The template files are compiled to PHP in a cache, so it's only really slow the first time before the cache is created. After that it is very quick. Twig is a great drop-in solution that lots of people are familiar with already. I'm not sure why you would bother taking the time to create one. Also, just because Twig is safe does not mean that all template engines are safe. It's not like they are inherently safe... but the way in which Twig operates makes it safe. EDIT: In fact, the very thing you're trying to do is one of Twig's main selling points. Quote from the Twig page:

You're defining a function in the scope of window. What happens is the function becomes a property of the window object. If you inspect "window", you'll see that your function "Pawn" is actually a property. You could say window.Pawn() and it would execute your function.

It is for video download, and then ffmpeg can convert it to an mp3. I don't see any documentation for that site right quick. I'll leave the Googling to you. It would probably not be that hard to write a scraper though.

https://github.com/jeckman/YouTube-Downloader + ffmpeg

Sure. if ($value == 'admin') { $email = 'admin@yourdomain'; } else if ($value == 'postmaster') { $email = 'postmaster@yourdomain'; }

You could develop a CMS type of deal which allows users to add widgets and stuff to their page, but not actual Javascript code. Unfortunately if you allow any sort of Javascript you are allowing an XSS vulnerability. It's not really the same as offering web hosting. Since this is an extension of a domain and servers that you control, the blame will fall on you. You are responsible for the content on your domain/server. include()'ing is very bad because IF there was any PHP code that got in there, it's going to be executed. I discovered a while ago that if you embed PHP into an image file, the image can still pass proper MIME checks, still function as a valid image, but if you include() it, the PHP code will be executed. If you want them to upload custom HTML, that's fine, but don't include() it. Yes, Twig is much safer. It has a strictly controlled API that can be utilized in the template, and you cannot put PHP into it.

If it is a public facing page then yes, it is indeed your responsibility.

Why? You should be.

Can you post that file here please? Make sure to use the code tags by clicking the <> button.

Where did you turn on error reporting? It must be set in the php.ini to capture certain fatal errors, otherwise the error occurs before the code to turn on errors is executed. In your php.ini make sure display_errors is set to On and error_reporting is set to -1 And make sure to restart Apache after the changes.

Sure, so long as the code that sets the session is secure. Make sure you exit(); after the redirect though.

Your script is broken because it is full of errors. You need to resolve those problems, not throw bandaids at it.

So what's the problem?

Did you fix all of the problems that you discovered in your last thread?

The Javascript risk is there for anyone who views the page. Where does the PHP code come from in your index.php example?

Since you're not really using jQuery properly to start with, why not just stick with vanilla JS? function test(element) { alert(element.options[element.selectedIndex].innerHTML); }

Blank white page is usually a fatal error of some sort. Make sure error reporting is on and error logging is on, and check your apache error log files.

Man, at some point you're going to need to figure out how to solve problems. You can't just ask for help every time some little thing goes wrong in your program. Programming is about problem solving and troubleshooting. We're happy to help if you're truly stuck on something and have put forth due diligence to try to solve it. Have you tried Googling your error, to see what it means?

mysqli_select_db($con, "DB_DATABASE");Should be: mysqli_select_db($con, DB_DATABASE);Actually with MYSQLI you can just do everything in the constructor. $con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);

Why? The last time you posted it, it was already MYSQLI.

You could just remove the row instead of setting an active flag.

Did you look through the examples? Seems to support that right out of the box. If not, it's pretty customizable so you should be able to achieve pretty much anything you want.

Flash is dead, man. So PHP is your server-side, and Javascript is your client-side. You will want to rely on PHP to do sensitive things, such as validating health, movement, items, achievements, things like that. Since Javascript is client-side it can't be trusted to do these things, as people can basically modify the code on-the-fly and make it do whatever they want. Therefore, Javascript is responsible for things like calculations, animation, effects, data binding, painting, and stuff like that. Any time it needs to do something important it will use AJAX to talk to the backend (PHP). There are plenty of libraries to help with what you're doing, and there are even game engines written for these technologies. Learning these things doesn't happen overnight; don't be so quick to give up. If you're reasonably competent in other languages you should be able to pick up Javascript in a month or two... it's a fairly easy language.

http://www.jssor.com/ Hard to beat this one.

Well, what was the role of PHP here? You said you had a "PHP driven client". Does that mean you have a separate server-side service somewhere?