ignace

Yeah, but nor the browser, the OP, or regex would care about that. Just wanted to point it out in case of the OP would had to deal with such URL's and to avoid a repeat question: "Why does this regex not match blabla".

$url = 'http://ws.audioscrobbler.com/2.0/?method=track.getsimilar&artist=Astronautalis&track=The+Wondersmith+and+His+Sons&limit=3&api_key=b25b959554ed76058ac220b7b2e0a026'; $array = json_decode(json_encode(new SimpleXmlElement($url, 0, true)), true);

Thought about that! But didn't wanted to bother as more experienced regex guru's would surely follow up Quick note to the OP: [^\'"\s]+ means that if you have unescaped href's like: http://www.domain.top/files/Report 2011.pdf Which should be: http://www.domain.top/files/Report+2011.pdf OR http://www.domain.top/files/Report&202011.pdf Would return an URL like: http://www.domain.top/files/Report

+1 unless the blog is by some respected author (which are then mostly excerpts from their book..). As book would I recommend Pro PHP Security.

The question mark after * makes it ungreedy. If you leave it out, it will match everything between the first WORD1 and the last WORD2 where if you have multiple occurences of WORD2 the ungreedy operator will only match until the first WORD2 preg_match('!WORD1(.*?)WORD2!', 'WORD1foobar stands for FTP Operation Over Big Address Records.WORD2Explanation of these and more acronyms can be found atWORD2', $matches); print_r($matches); // ungreedy (foobar stands for FTP Operation Over Big Address Records.) preg_match('!WORD1(.*)WORD2!', 'WORD1foobar stands for FTP Operation Over Big Address Records.WORD2Explanation of these and more acronyms can be found atWORD2', $matches); print_r($matches); // greedy (foobar stands for FTP Operation Over Big Address Records.WORD2Explanation of these and more acronyms can be found at)

The rename is not required per se, I added it as convenience. As programs will always read the first few bytes to find the image mime type, only Windows uses file extensions...

You can try using http://www.php.net/manual/en/function.exif-imagetype.php: file_put_contents($row['id'], $row['bdata']); switch (exif_imagetype($row['id'])) { case IMAGETYPE_GIF: rename($row['id'], $row['id'] . '.gif'); break; .. }

if (preg_match_all('!(href|src)="([^"]+)"!', $string, $matches)) { foreach ($matches[2] as $location) { //use $location } }

$reqID = preg_replace('#[^0-9]#i', '', $_POST['reqID']); Replace this with, you don't need the regex (regex is also wrong, you don't need the i modifier): $reqID = intval($_POST['reqID']); if ($reqID <= 0) { //invalid ID specified } while ($row = mysql_fetch_array($query)) { $mem1 = $row["mem1"]; $mem2 = $row["mem2"]; } You don't need the while() here since you only return 1 record, unless your ID is not unique? But then your code is wrong too since you would only process the last returned relation (as each iteration overwrites $mem1 and $mem2). $sql = "SELECT * FROM friends_requests WHERE id='$reqID' LIMIT 1"; Replace with: $sql = " SELECT FIND_IN_SET(T2.id, T3.friend_array) !== 0 AS mem2_has_friend, FIND_IN_SET(T3.id, T2.friend_array) !== 0 AS mem1_has_friend FROM friends_requests T1 JOIN myMembers T2 ON T2.id = T1.mem1 JOIN myMembers T3 ON T3.id = T1.mem2 WHERE id = $reqID "; This returns who is befriended with who. That said you should not store friends in a CSV instead you should store this relation in a separate table (for example keep it in friends_requests, don't delete at the end, and add additional columns that indicate wether both accepted the relation).

On this scale? The DB has to be used by universities across the globe?

http://be.php.net/manual/en/reference.pcre.pattern.modifiers.php

$value_one=$two_num_below+0.125; $value_one_fin=round($value_one*$value_one,2); $value_two=$value_one+0.125; $value_two_fin=round($value_two*$value_two,2); $value_three=$value_two+0.125; $value_three_fin=round($value_three*$value_three,2); $value_four=$value_three+0.125; $value_four_fin=round($value_four*$value_four,2); $value_five=$value_four+0.125; $value_five_fin=round($value_five*$value_five,2); $value_six=$value_five+0.125; $value_six_fin=round($value_six*$value_six,2); $value_seven=$value_six+0.125; $value_seven_fin=round($value_seven*$value_seven,2); $value_eight=$value_seven+0.125; $value_eight_fin=round($value_eight*$value_eight,2); $value_nine=$value_eight+0.125; $value_nine_fin=round($value_nine*$value_nine,2); $value_ten=$value_nine+0.125; $value_ten_fin=round($value_ten*$value_ten,2); $value_eleven=$value_ten+0.125; $value_eleven_fin=round($value_eleven*$value_eleven,2); $value_twelve=$value_eleven+0.125; $value_twelve_fin=round($value_twelve*$value_twelve,2); $value_thirteen=$value_twelve+0.125; $value_thirteen_fin=round($value_thirteen*$value_thirteen,2); $value_fourteen=$value_thirteen+0.125; $value_fourteen_fin=round($value_fourteen*$value_fourteen,2); $value_fifteen=$value_fourteen+0.125; $value_fifteen_fin=round($value_fifteen*$value_fifteen,2); $value_sixteen=$value_fifteen+0.125; $value_sixteen_fin=round($value_sixteen*$value_sixteen,2); $value_seventeen=$value_sixteen+0.125; $value_seventeen_fin=round($value_seventeen*$value_seventeen,2); $value_eighteen=$value_seventeen+0.125; $value_eighteen_fin=round($value_eighteen*$value_eighteen,2); $value_nineteen=$value_eighteen+0.125; $value_nineteen_fin=round($value_nineteen*$value_nineteen,2); $value_twenty=$value_nineteen+0.125; $value_twenty_fin=round($value_twenty*$value_twenty,2); $value_twentyone=$value_twenty+0.125; $value_twentyone_fin=round($value_twentyone*$value_twentyone,2); $value_twentytwo=$value_twentyone+0.125; $value_twentytwo_fin=round($value_twentytwo*$value_twentytwo,2); $value_twentythree=$value_twentytwo+0.125; $value_twentythree_fin=round($value_twentythree*$value_twentythree,2); $value_twentyfour=$value_twentythree+0.125; $value_twentyfour_fin=round($value_twentyfour*$value_twentyfour,2); Can all be replaced with: $value = $two_num_below; $names = array('one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine', 'ten', 'eleven', ..); // up to twentyfour //alternatively use pear/Number_Words //$nw = new Number_Words; for ($i = 1; $i <= 24; $i++) { $value += 0.125; //$word = str_replace('-', '', $nw->toWord($i)); ${'value_' . $names[$i - 1]} = $value; ${'value_' . $names[$i - 1] . '_fin'} = round($value * $value, 2); //${'value_' . $word} = $value; //${'value_' . $word . '_fin'} = round($value * $value, 2); }

Yes. Same with user_has_access()

TLG can you provide the link to the hacking forum thread. There might be more useful info for the OP.

Not onclick but instead on the page you land. UPDATE jobs SET views = views + 1 WHERE id = 1

It doesn't save replies. It delegates the responsibility to save reply to another function. (otherwise we may say that the Main() function handle too many responsibilities). Isn't it a controller's job? The main() function is completely unrelated to my response, since it's a C artifact used to bootstrap an application. I was referring to the fact that your functions are described vaguely. One would assume for example that calling GetMessagesHtml() ALWAYS returns messages in HTML format while the simple existence of a _GET or _POST variable could save a reply or even return a form instead of the expected formatted html messages. Hardly a side-effect free function. GetMessagesHtml() is a very poor name if it would have to represent a Controller in your application. IMO it's not a data access layer's or repository's responsibility. It's a business logic and should be placed in business logic layer (model layer). I agree that it shouldn't be in controller class, but I disagree it should be in data access layer or in repository code. Actually it's presentation logic... An actual e-mail has headers to indicate this was a reply to a previous message. So your model should have a isReply(true) function if you don't have Headers. getReplyMessageFormHtml() does not duplicate validation. There is no validation inside. Validation is initiated in the controller code (see $formValidator->addRules() call). Could you please explain what is exactly wrong here? A form is a UI representation of a model/aggregate to let a user input data to store it in some data source. Your model validates data as it's entered through it's mutator functions, right? So any external object that validates your model data actually copies your model validation.. Instead I would have a method on my model like so: public function getForm() { $form = new SomeModelForm(); $form->setValidator($this); // validate by calling set*() methods $form->setData($this->_data); // used to edit the model return $form; } Do we always need OO? What would become better in this code if I replaced static methods with instance method? Which benefits would I get and do I need them? OO is generally advised for bigger projects since they allow you to describe things which makes it easier/intuitive to work with them. Like Struct and Enum's in C. Take for example a message array versus a Message object. $message->setSubject('..'); compare this to $message['subject'] = '..'; The $message array has to be validated first every time you want to work with the contents and the code is sensitive for typo errors. Imagine what would happen in case of schema changes.. You would have to do a find/replace on your entire project instead of just having to open the Message class file and change the field name. There are more advantages than these, but are beyond the scope of this post. I think I will move functions to the corresponding model methods. For example PrepareReplySubject() could be moved to MessageService::PrepareReplySubject(). MessageService is not the proper place to put this, as you mentioned before it's business logic so it does not belong in a service instead I would opt for either a Special Case ReplyMessage which extends Message and has a isReplyFor(Message $message) or a simple $message->isReply(true); afterwards you can easily check if it's a reply and add 'Re:' in your view.

Remarks: [*] Many of those functions handle too many responsibilities. GetMessagesHtml() for example save's replies, display's a reply form, and returns messages. It also relies on globals $_GET and $_POST which means that the function may return something different than what was intended and no ability to enforce any specific output. [*] Object specific behavior is performed by external functions. For example PrepareReplySubject() is used on a $message object to prepend a 'Re: ' string to it's Subject.. IMO this should be wrapped inside a Reply() method on a DAO or Repo that loads the message from the database and already adds Re: or Fwd: to the Subject. [*] Controller/Presenter contains model behavior. For example getReplyMessageFormHtml() returns a Form with fields that map to a model/aggregate and duplicates validation (or calls $model->getvalidator())? [*] Poor use of OO, classes are not more than namespaces for static methods. [*] Namespacing functions would help to identify all functions that work on the same data. Which in turn helps in converting these to models.

That's not true, anyone can login with: username: any existing username followed by ' -- password: whatever, everything will work ^^ If you don't know the username, try: username: foobarbat' OR 1 -- password: whatever, again anything will work here ^^ Just an example of how you can use sql injection to log into your application with and without a valid username. To figure out why the query is failing change line 12 to: $logSearch=mysql_query($query) or die(mysql_error());

Without the backslash it means it will match any character followed by in. So ".bin" will match ".in" since . means any character. Try doubling the backslash \\ or trippling.

No need for regex: if (substr(trim($email), -3) === '.in') { // we got a problem! } Regex would be: if (preg_match('!\.in$!', $email)) { // we got more problems here! }

Or send a Refresh header. header('Refresh: 5,redirect.here');

It's supposed to handle when a user tries to access something they are not authorized to. So user_forbidden_handle() should either redirect to or display a not authorized webpage. You can extend this further to also log this in the database so that you can track malicious activity.

Preferably, yes. How you want to handle wether a user has access to a certain page is up to you to implement in the user_has_access() function.

On top of each page: if (!user_has_access(__FILE__)) { user_forbidden_handle(); } If you use a single point of entry like index.php which routes to a controller/page then write this in your index.php.