scootstah

Yes.

If you want portable hashes, try something like PHPass.

Can't you just use typecasting? <?php $i = '-65.55asdfasdfasdf'; echo (int) $i; // -65 echo (float) $i; // -65.55

I have a bunch of playlists on Pandora, Grooveshark, and a library on my PC that I listen to. No specific thing, just whatever I'm in the mood for. I mostly listen to Alternative/Progressive Rock, most kinds of Metal, and Electronica/Trance stuff.

A period of time exists between the start and end of a script. So, multiple calls to time() might not necessarily be the same. I wouldn't expect it to be off more than a second or two, and certainly not by days. Something else is at play here.

That is probably the least of your concerns if you host with GoDaddy.

Yes, yes it does. Aren't we using Sphinx?

Maybe so, but writing one that matches 99.9% of them isn't. The format for en Email address is pretty clearly defined, and not that complex. The chances of hitting an edge case where a specific email doesn't match is pretty slim. How many people do you know that use !#$%&'*+/=?^`{|}~ in their email address?

You may be happy to know that parse_ini_file exists.

This is typically done be sending a token along with the form. You can save the token to a session or temporary cookie when a form is submitted. Generate a new token on a legitimate form refresh. If the token matches one that was already set, it is a duplicate request.

As shitty is their infrastructure is and as much as they overload their boxes, it wouldn't take much.

Yup

So what's the problem then?

That pattern isn't going to necessarily return valid emails. The domain portion is very lax, and the local part isn't totally accurate. For example, you can't have an email with: [email protected] Plus, you are missing a bunch of valid characters. I don't think anyone can hack your database with !/$ characters. But even if they could, you should already be escaping or binding the input anyway. Passwords shouldn't get any filtering. By filtering passwords you're just reducing its security. Once you hash it, whatever characters it was made up with is irrelevant anyway. Filter usernames however you want them to be displayed. Only you can decide what that should be.

Well, you have seemingly no logic to determine if the form was submitted or not. Presumably you want something like: $show_status = null; $no_p = ''; $yes_p = "<p style='color:red'>".$status."<br /></p>"; // check if form is submitted if (!empty($_POST)) { $show_status = isset($status) ? $no_p : $yes_p; }

if ( !isset($_POST[ $x ]) This is equivalent to saying: if ( !isset($_POST['phone']), since "phone" was the last array item in the loop. Is that what you expected?

that's why i edited the post cause i tested my "advice" i replied like that cause i thought in a logical way / how can you search for a-Z in a numeric field / it's impossible to find because mysql doesn't accept text in int field / so why run the query ... Who said $search contains non-int characters? MySQL will just typecast it anyway. i presumed that backend user wont search for 1347289747 They don't have to. They could search a human-readable date (like Sep 09, 2012) which gets converted to a UNIX timestamp or DATETIME.

foreach( array('lastname','firstname','email', 'message', 'phone') as $x ) { ${$x} = $_POST[ $x ]; } if ( !isset($_POST[ $x ]) || empty($message) || empty($email) ) This makes very little sense. What are you trying to do here?

that's why i edited the post cause i tested my "advice" i replied like that cause i thought in a logical way / how can you search for a-Z in a numeric field / it's impossible to find because mysql doesn't accept text in int field / so why run the query ... Who said $search contains non-int characters? MySQL will just typecast it anyway.

Assign your query to a variable, and then echo it out so that we can see the actual query being run (after the variables are evaluated). Like this: $query = "SELECT * FROM table_name WHERE event LIKE '%" . $search . "%' OR date LIKE '%" . $search . "%'"; echo $query; Eh, what? You can search INT fields...

All the cool cats use Microsoft Word.

class HTMLPurifier { /** Version of HTML Purifier */ public $version = '4.3.0'; /** Constant with version of HTML Purifier */ const VERSION = '4.3.0'; /** Global configuration object */ public $config; /** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */ private $filters = array(); /** Single instance of HTML Purifier */ private static $instance; protected $strategy, $generator; /** * Resultant HTMLPurifier_Context of last run purification. Is an array * of contexts if the last called method was purifyArray(). */ public $context; /** * Initializes the purifier. * @param $config Optional HTMLPurifier_Config object for all instances of * the purifier, if omitted, a default configuration is * supplied (which can be overridden on a per-use basis). * The parameter can also be any type that * HTMLPurifier_Config::create() supports. */ public function __construct($config = null) { $this->config = HTMLPurifier_Config::create($config); $this->strategy = new HTMLPurifier_Strategy_Core(); } /** * Adds a filter to process the output. First come first serve * @param $filter HTMLPurifier_Filter object */ public function addFilter($filter) { trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING); $this->filters[] = $filter; } /** * Filters an HTML snippet/document to be XSS-free and standards-compliant. * * @param $html String of HTML to purify * @param $config HTMLPurifier_Config object for this operation, if omitted, * defaults to the config object specified during this * object's construction. The parameter can also be any type * that HTMLPurifier_Config::create() supports. * @return Purified HTML */ public function purify($html, $config = null) { // :TODO: make the config merge in, instead of replace $config = $config ? HTMLPurifier_Config::create($config) : $this->config; // implementation is partially environment dependant, partially // configuration dependant $lexer = HTMLPurifier_Lexer::create($config); $context = new HTMLPurifier_Context(); // setup HTML generator $this->generator = new HTMLPurifier_Generator($config, $context); $context->register('Generator', $this->generator); // set up global context variables if ($config->get('Core.CollectErrors')) { // may get moved out if other facilities use it $language_factory = HTMLPurifier_LanguageFactory::instance(); $language = $language_factory->create($config, $context); $context->register('Locale', $language); $error_collector = new HTMLPurifier_ErrorCollector($context); $context->register('ErrorCollector', $error_collector); } // setup id_accumulator context, necessary due to the fact that // AttrValidator can be called from many places $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); $context->register('IDAccumulator', $id_accumulator); $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context); // setup filters $filter_flags = $config->getBatch('Filter'); $custom_filters = $filter_flags['Custom']; unset($filter_flags['Custom']); $filters = array(); foreach ($filter_flags as $filter => $flag) { if (!$flag) continue; if (strpos($filter, '.') !== false) continue; $class = "HTMLPurifier_Filter_$filter"; $filters[] = new $class; } foreach ($custom_filters as $filter) { // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat $filters[] = $filter; } $filters = array_merge($filters, $this->filters); // maybe prepare(), but later for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) { $html = $filters[$i]->preFilter($html, $config, $context); } // purified HTML $html = $this->generator->generateFromTokens( // list of tokens $this->strategy->execute( // list of un-purified tokens $lexer->tokenizeHTML( // un-purified HTML $html, $config, $context ), $config, $context ) ); for ($i = $filter_size - 1; $i >= 0; $i--) { $html = $filters[$i]->postFilter($html, $config, $context); } $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context); $this->context =& $context; return $html; } /** * Filters an array of HTML snippets * @param $config Optional HTMLPurifier_Config object for this operation. * See HTMLPurifier::purify() for more details. * @return Array of purified HTML */ public function purifyArray($array_of_html, $config = null) { $context_array = array(); foreach ($array_of_html as $key => $html) { $array_of_html[$key] = $this->purify($html, $config); $context_array[$key] = $this->context; } $this->context = $context_array; return $array_of_html; } /** * Singleton for enforcing just one HTML Purifier in your system * @param $prototype Optional prototype HTMLPurifier instance to * overload singleton with, or HTMLPurifier_Config * instance to configure the generated version with. */ public static function instance($prototype = null) { if (!self::$instance || $prototype) { if ($prototype instanceof HTMLPurifier) { self::$instance = $prototype; } elseif ($prototype) { self::$instance = new HTMLPurifier($prototype); } else { self::$instance = new HTMLPurifier(); } } return self::$instance; } /** * @note Backwards compatibility, see instance() */ public static function getInstance($prototype = null) { return HTMLPurifier::instance($prototype); } } What's wrong with that?

Old habits die hard I guess.

I do as well for the most part. But, I use tabs for indenting.

http://css-tricks.com/ http://www.smashingmagazine.com/ I also read a bunch of random blogs that I find on reddit. Mostly in r/php, r/webdev, and r/web_design