ToonMariner

have a look for 37 signal's 'getting real' its definitely my favourite methodology - I find it MUCH more conducive to producing good quality sites... Very few project managers appreciate web build and can often stick lots of literally pointless processes in the way purely because they don't appreciate how organic web development is.

no not just post data but url encoded data too...

I use a data cage class to sanitize any user submitted data... However your situation is better solved using the pear DB package which does its magic to prevent sql with minimal effort. it isn't efficient to run this on every page and on every variable passed to the page... you will be far better off just using mysql_real_escape_string on the variables when you submit them to the query... One point to note there is that utf-8 codes could be in the string and when those are submitted they are evaluated so they will allow an injection attack http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

body { background: #D9E6F7; font: .74em "Trebuchet MS" Verdana, Arial, sans-serif; margin:0; height: 100%; } You could style the html element.. html{background: #d9e6f7;} but this is not practical if you need different background colours on different pages...

Errrr??? What? Won't that leave anything that's not a number or ,? In other words, wouldn't that return "," for "500,000"? Why not just do: preg_replace('[^0-9]', '', $number); erms oooops - good spot! actually I was just testing... also make sure you keep the decimal point!!! preg_replace('/[^0-9\.]/', '', $number);

if you can see it in the scource code of the page then its not php. php is long gone once the markup is served out to the browser

that is javascript and anyone caneasily turn javascript off

100,000.00 will be evaluated as a string... use $amount = preg_replace('/[0-9\.]/',,$_POST['amount']); should get round all that extra code...

Don't put quotes around NULL when you want auto_increment to work... 'NULL' is a string and mysql will treat it as such.

preventing default behaviour is a sure fire way to alienate users. If your site is breaking because of it then your application design is wrong. if this is one of hose instances where your page is performing an action that would be repeated on refresh (like remove/adding a record to a database etc.) then you should use header('Location: ...'); after the database update to send the user to a page that can be refreshed and even hit back on that won't repeat the update..

of course there will be a hit - but thats the trade off - if you need encryption then you need encryption. with the hardwae today that hit is not 'that bad'.

last check - put... if (isset($_POST) && count($_POST) > 0){ print_r($_POST); } at the top of your code and see what is passed to the page. You should be able to see what is in the 'name' element. also echo out your query immediately before running it to see if the string contains your search terms.. echo $sql; $result=mysql_query($sql); use that information to check that you are assigning the correct value to $name. The query in your code is fine providing that $name is being corretly assigned a value.

I suggest you have a look at using jquery - if you do then managing this stuff is dead easy... http://docs.jquery.com/Events/focus

use javascript... you will need to record the time he user started the video and the video id and either store it in a cookie or send to your server with an ajax request - if the user stops the video update the cookie or send ajax once more. if they leave the page then you can check the cookie server-side or check the data sent via ajax and work your magic...

you use fckeditor to replace a textarea with the editor... simply use $_POST['XXX'] where XXX is the name or id of the textarea you have tol dfck editor to 'replace'.

also performance wise use enum rather than char(1)

did you echo out the query string? you can always coy and paste it to run in your db management tool - see what it says about the query.

Daniel is correct in that In this case there is no extra hit on your code IF you let the database manage the encryption - I very much doubt you will see a significant performance hit on this. only point i would make here is that you sould use a class tomanage this and encrypt that file too (with zendguard or ion cube) so that your encryption salt is not available if they get ftp access too!

are you posting this to a page like /search.php?go=xxx I don't have a problem with mixing get and post data - just wondering if you have used $_GET['go'] when you meant $_POST. to check i suggest you echo out your query string just before you run it.

Have you considered normalizing your storage of emails? I split the email address into its local and domain parts... you can store the the domain part as normal but can then encrypt the local part. e.g joe@bloggs.com... in my user table i store 'joe' in `email_local` and 1 in `domain`. then just have an association table to mach 1 to 'bloggs.com' - advantage of this is most people will have hotmail gmail etc so you cut down the amount of data stored significantly. You still have the encryption to do - I'd leave that to mysql - use the aes_encrypt and aes_decrypt functions in your query - this should' be more efficient than decrypting the results in php. so what you will end up with in should someone gain access to your database is a table full of domain names that they can read and a field in your user table with the local part of the email encrypted. you will always have to pay for encryption/decryption but reducing the amount of data you are encrytping should always help. Other may have better options but what I've suggested above is what I do - I'd love to improve so hopefully someone will have a better plan!!

you need some application like ffmpeg or mencoder that can parse the video file... if your host dont support but you have command line access to your server you can install it your self. This page has some destructions (bit old so there may be more recent examples). If you can't do that then I'd suggest you switch hosts

should be fine - don't trust the maxfile thing in html though - always check file size on upload.

very percuiliar... when using readonly you should always use readonly="readonly"... of you don't want the textbox read only simply don't put readonly in. This will let users input data into the field. the other attribute that behaves in a similar fashion is disabled="disabled" which leaves the whol etextbox greyed out and uneditable...

<?php SELECT title, article FROM articles, category WHERE category.catid=".mysql_real_escape_string($_GET['id'])." AND articles.catid = category.catid" ?>

Validate your markup first (i suggest you switch to a strict doctype) and make sure your css validates - after that if you still have problems come back and quiz us all - we'll be happy to help...