Jacques1

Well, “data:image/gif;” certainly isn't valid Base64. So you have to extract the actual image data before you decode it.

You've mixed up two naming styles: $this->allowedTags isn't the same as $this->allowed_tags. If you fix this, you can in fact define the attribute in the class body.
 
Is this the best approach? Well, it's difficult to tell given this very abstract code, but hard-coding the tags inside the class means you won't be able to ever change them (unless you change the class definition, of course). It might make more sense the define the tags outside of the class and pass them through the constructor.

Your code generally doesn't make a lot of sense. What is the query
SELECT password FROM users WHERE password = supposed to do? You take the submitted plaintext password and then try to find the exact same string in your database? Aren't your database passwords hashed?
 
I guess what you actually want is get the password hash(!) for the provided username:
SELECT password FROM users WHERE username = :username It might be a good idea to rename the column "password" to "password_hash" to avoid this confusion in the future.
 
You have a lot of other weird parts in your code, so I strongly recommend you go through this line by line and carefully test each part with var_dump(). Don't just write down one big block of code and test it afterwards, because this makes debugging much harder.

I understand that you have multiple Jabber servers, but that doesn't mean you should have a separate database for each one of them. Or is this a specific requirement of the Jabber implementation you're using?
 
Anyway, if you absolutely need multiple databases, create an array which maps the different servernames to different MySQL connection parameters:
<?php $jabberDatabases = [ 'jabber1.example.com' => [ 'host' => 'localhost', 'user' => 'user1', 'password' => 'pw1', 'database' => 'db1', ], 'jabber2.example.com' => [ 'host' => 'localhost', 'user' => 'user2', 'password' => 'pw2', 'database' => 'db2', ], ]; Given the name of the jabber server, you can select the corresponding parameters for mysql_connect() and mysql_select_db().

That's a bit strange, but there's no rule saying that WP malware can only infect WP-based applications.
 
Anyway, all of the above still applies. If you've written the code yourself, replace “Update your application” with “Learn the basics of PHP security and fix your code accordingly”.

The easiest option is to send the appropriate content type with header() and then show the file content with readfile().
<?php header('Content-Type: application/pdf'); readfile('/path/to/pdf'); A more sophisticated and efficient approach is to delegate the file transfer to the webserver:
mod_xsendfile for Apache X-Accel for nginx

It's difficult to give advice for this extremely abstract scenario.
 
Generally speaking, a method should make sense on its own and not have hidden dependencies all over the place. You should be able to give a clear description of what this particular method does. If you cannot do that, you should refactor it. Maybe you need an additional parameter, maybe you need to break the logic into multiple methods, maybe you have to do a lot more. That depends on the actual problem (which you haven't stated yet).
 
Callbacks do make sense in some special scenarios, but you shouldn't use them as a standard pattern. When you're starting to pile up closures and your requirements are becoming weirder and weirder, it's definitely time to stop.