ignace

Yes you need to use the decode function. If all you'll ever need is the a-element for url's I'd suggest writing some regex that finds an url in the text and converts it to <a href="$1">$1</a>. This way you aren't bothered with possible html injects.

I didn't knew that, I really thought all PDO did was to provide database portability. Well, you really learn something new everyday

htmlspecialchars encodes (thus they are not processed by your browser, like you would want) <, >, " and '. Leave the htmlspecialchars out. <a href="hello-world">Hello World</a> has been converted to: <a href="hello-world">Hello World</a> and shows up as: <a href="hello-world">Hello World</a>

Is serverx the server on which php runs? Or do you want to access that server through php using something like fopen()? If the latter then you can not modify to e:/ as that would point to your own hard drive (in this case your cd- or dvd-rom). //serverx identifies a server on your network, everything after serverx (/sharex/folderx) identifies a resource on that specific server.

$time = strtotime($row['expiry_date']); $expiry_date = date('d-m-Y', $time); list($day, $month, $year) = explode('-', $expiry_date); $month -= 2;// 2 months earlier if ($month < 1) { $year -= 1; $month = 12 - abs($month); } $alert_on_expiry = date('d-m-Y'/*SQL date format*/, mktime(0, 0, 0, $month, $day, $year));

switch ($productType) { case 'jeans': include 'jeans.php'; break; case 'watches': include 'watches.php'; break; default: include 'everything.php'; break; }

Unless they write And'rew, right? I'm sticking with my first suggestion, it solves a lot of problems and saves you the hussle:

What has PDO to do with mysql buffering it's queries? PDO stands for PHP Data Objects and is an database abstraction layer (thus making your application only portable across multiple databases vendors).

Both PHP and MySQL is known to be able to handle a serious amount of users and if both properly optimized you can serve an even more serious amount of users. However chances are that within the first year you won't see that many people online, maybe not even in the first 5 years (depending on findability and marketing). A lot of companies invest in a certain amount of servers which would be able to handle that serious load. However there are very few companies who experience that serious load within the first year (because their user base is only starting to expand), second year is more probable (as you'll already have a user base and returning users).

login.php //verify their was actually something posted.. if (empty($_POST))/*nothing posted*/header('Location: index.html'); $username=!empty($_POST['username']) ? $_POST['username'] : null; $password=!empty($_POST['password']) ? $_POST['password'] : null; Replace: if (!isset($username) || !isset($password)) { header( "Location: index.html" ); } elseif (empty($username) || empty($password)) { header( "Location: index.html" ); } With: if (!$username || !$password) {//one or both are left blank header('Location: index.html'); } Enclose repeating tasks: $user = addslashes($_POST['username']); $pass = md5($_POST['password']); function clean($variable, $allow_tags = false) { if (!get_magic_quotes_gpc()) { $variable = addslashes($variable); } if (!$allow_tags) { $variable = strip_tags($variable); } return htmlentities(trim($variable)); } $user = clean($_POST['username']); $pass = md5(clean($_POST['password'])); Encapsulate application behavior so it may be used anywhere and only has to be modified at one place: //$username and $password have to be validated before calling login() otherwise you wouldn't be able to set appropriate form errors. function login($username, $password) {// if (!login($username, $password)) { //login failed global $db, $config; if (!$db) trigger_error('Authentication can not proceed. Database connection not available.');//report silently if (!session_id()) trigger_error('Authentication can not proceed. Session hasn\'t yet been started.'); $logged_in = false; $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $query = "SELECT id, username FROM users WHERE username = '$username' AND password = '$password'"; $result = mysql_query($query, $db); if (mysql_num_rows($result) === 1) { $record = mysql_fetch_assoc($result); $logged_in = true; //make sure that $config['auth_key'] contains a value that you won't use easy $_SESSION[$config['auth_key']] = $record; } return $logged_in; } function is_logged_in() { return !empty(get_user_session_info()); } function get_user_session_info() { global $config; $auth_key = $config['auth_key']; return !empty($_SESSION[$auth_key]) ? $_SESSION[$auth_key] : array(); } Create validators for information that is the same over the entire website: function is_valid_username($username) { $strlen = strlen($username); return ctype_alpha($username) && ($strlen > 8 && $strlen < 16); } function is_valid_password($password) { $strlen = strlen($password); return ($strlen > 6 && $strlen < 16) && preg_match('[A-Za-z0-9]', $password); }

Please elaborate to which information you are referring? A session cookie has by default a lifetime of 0 (which means it is destroyed upon browser closier). If you modify the lifetime of the session cookie then the session on your server won't expire until the client-side cookie does or until you destroy the session or the browser crumbles the cookie.

contradicts:

What is actually the problem Andrew doesn't get <censored> but all others will? If you disallow Andrew you'll also disallow yourself. Don't allow them to create names and create a generated name for them (ex. user001). Allow names only when registered (because if anyone is Andrew, then who are you?). And add a UNIQUE type to your username field to your database so noone can use the same name more then once.

function q09(w){f=document.forms.fms;ok=1;a=f.name;if(a.value.length<6){a.value='';a.focus();ok=0};if(ok==1){return true}else{document.getElementById('emms').innerHTML=w;return false}} is in my opinion javascript.

http://be2.php.net/manual/en/function.session-set-cookie-params.php

Weird noone noticed: $cat = isset($_GET['cat']) ? $_GET['cat'] : 'all'; $cat = mysql_real_escape_string($cat);

Notice the double-quotes. $contents = str_replace("\r\n", '', $contents);

so i would do something like this... $res = mysql_fetch_array(mysql_query("SELECT rm.m_user, rm.m_id, rm.m_date, rp.i_id FROM rate_members AS rm LEFT JOIN rate_pictures AS rp ON rm.m_id = rp.i_user WHERE rm.m_type = '1' AND rp.i_private = 0 AND rm.m_del != 1 AND rp.i_status=2 LIMIT 24")); foreach ($res as $line) { No. Sometihng like this: $query = mysql_query("SELECT rm.m_user, rm.m_id, rm.m_date, rp.i_id FROM rate_members AS rm LEFT JOIN rate_pictures AS rp ON rm.m_id = rp.i_user WHERE rm.m_type = '1' AND rp.i_private = 0 AND rm.m_del != 1 AND rp.i_status=2 LIMIT 24"); while ($row = mysql_fetch_assoc($query)) { And PFMaBiSmAd how do you know all this stuff? Or you wrote php or you have made the mistake once yourself. Because some stuff you tell just isn't covered in the manual But true nevertheless. I think you breath stdin and stdout.

config.php $config['fckeditor_directory'] = '/path/to/dir'; somepage.php require_once('config.php'); print $config['fckeditor_directory'];

You can, however only in safe_mode (or by using chdir()) and if you have php.ini access as doc_root is PHP_INI_SYSTEM. However /includes/file.php will still throw errors i guess as you then are trying to access files outside the doc_root. Just remember to always start without a / (require_once('includes/file.php') which assumes the current work directory (getcwd()). Maybe user_dir can help: http://www.php.net/manual/en/ini.core.php#ini.user-dir

<form method="post" action="https://webpage.net/xml/mail/Login?__frame=_top" id="login_form" name="myform" target="_blank"> should be: action="/path/to/your/profile-page.php" But which application are you using?

From: {$_SESSION['sitename']} <{$config['sitemail']}> does $_SESSION['sitename'] contain any value? and shouldn't it be: $config['sitename']? Reply-To: {$name} <{$config['sitemail']}> Reply to himself?

There is nothing wrong with your code. It's probably the SPAM filters that stop your e-mail from being received either send each e-mail individually or only add one $to and add the others to $cc or $bcc

Change to: $tmp = empty($_GET['action']) ? $_GET['action'] : 'default'; change default to anything to what it should fall back. Store the information in your session $_SESSION['name'] = $name; Then on the activation page where he enters his activation code (altough you can bypass this by providing a link in to the e-mail &activation_code=5q37t453qh4gq activate the user and direct to some page) verify the data exists if (isset($_SESSION['name'])) {..exists..} else {..don't..exist..} and redirect them if it doesn't. Here is some more advice: Don't use @ it will make it hard to debug. @$username = ($_POST['username']); Don't use "or die()" your users don't understand what "MySQL Error 1062: .." means. They may even believe they broke it and wil leave your website with a feeling of guilt probably to never return again and you'd be given away information to hackers. Instead use: Add a system environment variable (if you don't know how look it up) named DEBUG and give it the value 1 define('DEBUG', getenv('DEBUG') ? getenv('DEBUG') : false); $defaultErrorHandler = null; if (DEBUG) { error_reporting(E_ALL); ini_set('display_errors', TRUE); ini_set('log_errors', FALSE); } else { error_reporting(0); ini_set('display_errors', FALSE); ini_set('log_errors', TRUE);//also report the error in error.log $defaultErrorHandler = set_error_handler('error_handler'); } ob_start();//keep everything in the buffer until we flush it function error_handler($errno, $errstr, $errfile = '', $errline = 0, array $errcontext = array()) { //no errors will be displayed if (!headers_sent()) { header('Location: /error404.php'); } else { ob_end_clean();//whatever there was we don't need it anymore. require_once('error404.php'); } } Now whenever you edit your website locally you'll get full error reporting and when you upload your files to your server your error_handler() will kick in (because the server doesn't have the DEBUG environment variable). Use trigger_error() to use the error_handler()