xyph

Yeah, read up on XSS. With JavaScript you have full control of the DOM, which means they can point forms (login?) to their own servers. You can use htmlspecialchars to help prevent this.

PHP code in a string will not be executed unless it's in an exec() call. JavaScript is what you should be worried about

No, gateway will be LAN-specific, and not broadcast on WAN (internet) requests

SELECT m.member_first_name, m.member_last_name, t.tag_number FROM members m LEFT JOIN id_tags t USING (member_id)

You were using $pass, later you're using $pass1

There's no reason at all to put sensitive information within the web root. Why even give the opportunity to parse it?

Make sure the config file is outside of the webroot. Beyond that, you should be fine. If you're going to store it in plain-text, make sure it's a password you don't use anywhere else.

It's all preference, so I can't really say NO UR WRONG LOL! When I think laptop, I think portable computing and the rig you posted stinks for that. 3-4 hours of battery life isn't enough for me (and there's NO way you'll get that while gaming) If you need to save space, and don't mind staying plugged-in, it's great. Any desktop gaming GPU will be able to handle 90+ degrees as well. Regardless, running hardware at that temperature will lead to a shorter lifespan. The nice part about a desktop GPU is for $20 (wait for them sales) I can get an after-market cooler that will be loud as shit at full load, but keep it down to 70-75 degrees. I agree, gaming laptops are bigger (they HAVE to be), but it's still really cramped in there to have two beefy processors running at full load for any significant amount of time. I'm not just preaching cause I have some random grudge, I've seen probably $10k worth of gaming laptops fail at various LANs when I was younger (if your machine locks up and powers itself off, DON'T TRY AND TURN IT BACK ON TO RESUME GAMING! ) Maybe the hardware's changed significantly in the last while, but I just don't trust it. If you want a machine with top-tier processing power, a small form factor isn't your friend!

They may not listen to the customer, but when Visa knocks at their door, they don't fuck around You should check out the interesting warranty stuff that can sometimes come along when buying with a credit card as well.

Well this one is just about one year old... I guess laptops are just not suitable for video gaming. They can be. It just depends what you buy. Even gaming laptops kinda suck. Small form factors don't deal well with heat - a pretty common by-product of processor-intensive activity. If you want to game, a laptop is generally a bad idea. Melted components SUCK.

By using a comma-delimited list in your table, you've made it very difficult to query against data within that list. You're going to want to normalize that data, give each comma delimited item it's own row that references back to a specific program.

Use GROUP BY user_id DISTINCT will return only unique results over all of your selected columns combined.

Thanks for the links! making us all google, you jerk.

An attacker regenerating a session isn't a big issue, the session is stolen regardless. With a regenerated ID, at least the user will instantly know.

Hope it all works out for you. Charge-backs aren't fun, but they're there when you need em.

There's not that much that can be done to prevent MitM attacks. It's more of a security issue outside of your control. Even with IP checking, an attacker can spoof the originating IP, and perform whatever actions he needs to without the server knowing its coming from elsewhere... Since the attacker generally doesn't care about the response, just performing the action itself.

Multiple users can have the same IP. Users can change IP on a per request basis. It's a decent solution, but it might piss off certain users, and won't help if the attack is performed on the same local network.

You'll find most here quite helpful, as long as you don't mind the occasional smart ass remark

Some paranoid people will regenerate the session ID with each request. It helps prevent active theft, because any activity on the attackers end would kick the user out. The attacker would have to wait for the user to go idle, or hope they don't actively destroy the session (logout) when they're done.

After testing it out, it turns out it all varies on your PHP version. If you're using 5.3 and above for both ends, bcrypt should give you the same results, because the library has been built into PHP itself. Previous versions may vary, due to different mcrypt libraries being used. bcrypt can be portable, and is not machine-specific. If you're using PHP < 5.3, be careful, and you're probably better off using PHPass with portable hashes turned on (still very secure)

Yes, the attacker would hijack the active session, and the legit user's session would be orphaned. When the user logs back in and generates a new session ID, the attacker's hijacked ID would then be orphaned.

bcrypt isn't portable from what I understand. You're creating machine-specific hashes.

If you're going by the hidden value in the form, the user can manipulate it.

How can you have two folders with the same name in a directory? Allowing the user to define $userId is a BAD idea.

You should only have 1 select with an ID of 'edit' IDs are unique.