secweb

You could use a hidden form input element for the id. As for the pre-filled data, where are you storing it anyway, i.e. you'd get it from there... Otherwise if they use a back button then encode it in that (maybe better to use an actual button in that case), however if they don't use your pre-formatted back link then the data is lost, so you may want to store it in session variables, however they'll only be able to fill out one form at once then (which is what MOST people will do anyway, but there's always one)

Where is $uploaded_type set? At the moment I'd say it'll be null...

Thankyou, yes I finally noticed that too... Here's how that ended for .htaccess: Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff"

Over the weekend I installed Kali Linux and ran a few vulnerability scanners against my new (currently local) site. A few things kept popping up (using Nikto and OWASPs ZAP): How important are these, and is it best to handle them in my PHP code? 1. X-Frame-Options This is the method I've found for this: header('X-Frame-Options: SAMEORIGIN'); 2. X-XSS-Protection Just finally found this, not sure if it works yet though: header("X-XSS-Protection: 0"); 3. X-Content-Type-Options Also just finally found this: header('X-Content-Type-Options: nosniff'); Is there any other security checks I should be making? Can you suggest any other good scanners or tools?