scootstah

Because it does not work well at all. SHA1 is not made for hashing passwords, and it is easily bruteforced these days. For hashing passwords, you want a slow, adaptive algorithm. Adaptive means that as computers get faster, the algorithm gets stronger. SHA1 is not adaptive - as computers get stronger, it gets much, much weaker. In addition, it's a very small change that you have to make which in turn makes your application much more secure. Kind of a no-brainer in my opinion.

I usually use openssl_random_pseudo_bytes(). $token = bin2hex(openssl_random_pseudo_bytes($length = 60));

Please don't try to create your own password storage mechanisms. PHP 5.5 now comes with a purpose-built function for this, http://php.net/password_hash If you can't use PHP 5.5, there is a backwards compatible library created by ircmaxell.

Absolutely not. Can you not add the web mail hash to your other database?

Can you post the relevant code please? nl2br might be what you're looking for.

You're already using conditionals in your code above, it's no different here. Did you even write that code?? http://php.net/manual/en/control-structures.if.php

You are selecting all of the columns from your database on this line: $rs=mysql_fetch_array($result);So, $rs is an array containing all of the columns for the selected row. So, you would access the level column just like you have accessed the Fname column here: $_SESSION['user']=$rs["Fname"];From there, you can use a conditional to decide which page to use here:$extra = 'Levelpage.php';

Huh, that's odd. I've never run into that before.

You need to make the id column a primary key. That might be what it's complaining about.

Have you tried adding an index? lol

With CURL, probably. The remote server can process a normal POST request, and your local script can send a CURL request.

This. There's absolutely no reason to try to do this yourself these days. If you can't use PHP 5.5 then use ircmaxell's backwards compatibility library.

White page of death is usually a fatal PHP error. Check your Apache error.log.

Please wrap your code in code tags. You're querying your database table and returning other columns, so why are you unable to get the level column? Your code is full of bad things. I'm guessing you're looking at some 12 year old PHP tutorial or something? 1. You are vulnerable to SQL injection. Best course of action: stop using the mysql_* API and either use mysqli_* or PDO. Example: // create new PDO connection $pdo = new PDO('mysql:dbname=yourdbname;host=localhost', 'user', 'password'); // prepare a query $stmt = $pdo->prepare("select * from admin where username=:username and password=md5(:password)"); // bind parameter values $stmt->bindValue(':username', $use); $stmt->bindValue(':password', $pws); // execute query $stmt->execute(); // get results $result = $stmt->fetch(PDO::FETCH_ASSOC); // associative array of query resultsIf you insist on using deprecated libraries, then you must at least escape your data before you use it in a query to prevent SQL injection. $use = mysql_real_escape_strings($_POST['use']); $pws = mysql_real_escape_strings($_POST['pass']);2. Do not store passwords with MD5! MD5 has been broken for many many years. That, coupled with the fact that you're not salting the passwords, you might as well just store them plaintext and skip the function call. MD5 was never meant for storing passwords, and it is not good at it. You want a slow, adaptive hashing algorithm such as bcrypt. PHP >= 5.5 has a new password_hash() function that creates secure password hashes. I recommend that you use this. If you cannot use PHP 5.5, then use ircmaxell's backwards compatibility library. 3. You are making a very unsafe redirect link using $_SERVER['HTTP_HOST'] and $_SERVER['PHP_SELF']. The client can manipulate these values. You can just use relative paths instead. If you must use an absolute path, then you need to either set your base URL as a constant, or sanitize the input. 4. You're using an undefined variable $time in your query on line 30. This tells me that you probably have NOTICE level errors turned off (or you just ignored them). I would recommend always developing with max error reporting (use error_reporting -1) to avoid code smell.

Yes, if you run your output variables through htmlspecialchars() first you'll be safe. You could also use a templating library such as Twig, which automatically sanitizes output data. XSS stands for cross-site scripting, yes. Cross-site scripting is when a user is able to inject client-side code into your page.

Of course it's possible. Have you written any code? Are you stuck somewhere in particular?

You might try transactions. This will basically look the table/row while your queries run, to make sure that the values don't change in the meantime.

No, not a joke. You're looking for query errors here: if (mysql_query($sql)) { echo "success"; } else { echo "error" . mysql_error(); }So, you said that my query didn't work, and there is no errors? Try printing the $sql variable and posting the output.

Pretty much any time you're outputting dynamic content, it needs to be escaped first. Whether that content comes from your database, an XML feed, an external API, whatever... it needs to be escaped. If you let a user input data into your database, then you need to be escaping it when you display it back onto your website somewhere. If not, then the user could type HTML or Javascript and thus you have an XSS vulnerability. Right now, you're escaping before it gets to your database. Typically this isn't the way to go. It's better to escape as close to output as possible, as that way you are sure that all content, no matter its origin, is safe to display.

I don't mean that stored procedures is silly, just the notion that you must use them to be safe. You're right, I should have been more specific.

Why would you want to display an image that doesn't exist? EDIT: If you want to dynamically add an image tag from an AJAX result, then you can just add the whole image element instead of just changing the src. Or, initially set the src to a placeholder image or something.

Oops, sorry about the error. You're checking for SQL errors, are there any?

http://www.amazon.com/Objects-Patterns-Practice-Matt-Zandstra/dp/1430260319 Buy this book then. It's very good.

Probably because it comes up first in Google results. Try to stick more to the PHP manual and sites like Stackoverflow (and this one!). W3Schools is full of outdated and harmful practices. Avoid it like the plague. That function does nothing to prevent SQL injection. To do that you either need to use mysqli::real_escape_string() or prepared statements. Also, except for SQL injection, there is nothing else that will harm your database that you need to filter first. You do need to modify output before displaying it though. It's just usually preferred to do that as close to output as possible, rather than on input.

I believe by default it caches all responses. But, you can configure exactly which URL's you want to cache for.