.josh

http://www.phpfreaks.com/tutorial/php-security Section 9 is about directory traversal but you should also pay attention to Section 6 as it is somewhat related (I would suggest reading the whole tutorial though, as the whole thing has good info about security)

You cannot define a property with another variable in a property declaration. If you want it to "auto" assign something on load-up like that, assign it in the __construct()

Sure, you could wrap something around each item on your descriptions.php and then scrape the page for the right one every time, but that is not very efficient. You would have to load all of the descriptions and look for the right one, just to display one. Splitting all of your descriptions up into separate files and including them all on descriptions.php and then including only specific one on play_video.php would be a lot faster and more efficient. What would be even better is if you stored all your information in database. Select and display all on descriptions.php and select and display one on play_video.php

All php regex patters have to have a delimiter wrapped around the pattern. The tilde is just being used as the pattern delimiter. Other than that, it has no special significance. You can use most any non-alphanumeric character as the pattern delimiter, as long as you make sure to escape instances of it within your pattern. I use the tilde because it rarely ever comes up in stuff you are trying to match. Especially when making a pattern that matches html code. Lots of people use /.../ well in html code there are a lot of forward slashes, so you have to escape it every time you use it in your pattern.

Cannot help you unless you give more details about the pages. Where is the data being stored? How is it being displayed on descriptions.php, etc..

No you won't. The only thing you will learn by having people just hand stuff to you is laziness. Use your brain. I provided you with code that will look for /xyz/ in the url. How hard do you think it really is to replace "/xyz/" with "?site=" ? I assure you, it is not hard at all, and if you weren't so busy trying to freeload, you would see it easy enough.

preg_match_all('~<p>.*?</p>~',$html,$ptags); $ptags = $ptags[0]; example: $html = "<p>test</p> <p>test1</p> <p>test2</p>"; preg_match_all('~<p>.*?</p>~',$html,$ptags); $ptags = $ptags[0]; echo "<pre>"; print_r($ptags); // output: Array ( [0] => <p>test</p> [1] => <p>test1</p> [2] => <p>test2</p> )

Yeah I mean I do see a lot of their $$ making efforts, and perhaps I perceive more than the average person on this count, since I work in the analytics/tracking industry. But I don't work for google or anything so it's still limited :/

It would take one of the following a) Convincing SMF team to build it into their core b) Someone make a mod for it, and phpf agree to use it c) Someone here willing to make a hack for it and maintain it (phpfreak staff doesn't have to be the one to make it, but they'd have to be the one to implement and maintain it) Actually TBH, all of this is probably moot. The way I hear it, the current phpfreak staff is working on a site/forum redesign. I have no idea how much of it is built from the ground up vs. 3rd party software but you could always ask that they consider it as a feature.

I also want to point out that your responses/reasoning for making changes seem to be solely based on your personal preferences/opinions. When you make decisions and changes that affect a vast number of people, it is better to consider majority opinion, rather than individual opinion. It is the same principle you yourself have acknowledged for the unlikelihood of SMF making a change for a small community type. It is nothing personal and it's not that we don't listen to individuals, it's just that you have to look at the bigger picture when decisions and changes affect a lot of people. There are a ton of things I dislike about the forum software. Things I'd like to see added. Things I'd like to see removed. And there are a ton of things about the way this place is run that I disagree with, which is more or less why I am no longer a part of the staff. But that's another story. Point is, I recognize that I'm just one person, and I respect and do not take it personally when the majority of others sway another way. I'm not saying that you are taking any of this personally..I'm just wanting to make sure you don't take anything I say personally. And I don't think my opinions as an individual are any more or less valid than yours as an individual, either. Unless specifically stated as "IMO" my responses have been based off my experience as an ex-staff member, having been there when it was discussed by many people, and know the resulting majority consensus opinions, which I am in turn sharing with you.

Yes, there have been exceptions. Most notably, the [ m ] .. [ /m ] tag. And it's been a hassle for people to keep up with them, which is why we avoid it. It's not really a matter of "Will this update break the hack?" but more-so the dependency to keep track of and apply the hack with each update. My answer was based on how it has been in the past when I was on staff, and giving an explanation of how things have been done. However, there are a bunch of (relatively) newer members of staff so maybe they are more willing to do this sort of thing. Maybe...maybe not. In the past, we have found SMF to be quite responsive in our efforts to make changes on things (now whether or not they agreed and did something is another story, but point is, they've always been pretty good about responding). But you are right in that a "coding" forum is just one of many types of communities out there and they generally try to only keep the most ambiguous of features in the core. This is why they also have an extensive forum mod community. We are much less opposed to using mods, as it puts the responsibility on the owner of the mods to maintain compatibility and it's a lot easier to keep track of and (re)install/update mods. Bitch, rant, voice opinion...whatever. I wasn't trying to make it sound negative, it's just my personal generic term to use No not really...I have the advantage of having been on this staff and have seen over the years the complaints and confusion resulting in adjusting the time limits to various time limits (which we've done many times over the years). 5 minutes is a pretty good balance. That's not to say that it's perfect. No time limit will perfectly satisfy everybody. But we have seen that it's pretty fair as far as "least of the evils" so to speak. But again, this topic comes up a lot and is therefore reviewed a lot, so it can definitely change as the need arises. Well that's your personal opinion. My personal opinion is that you should always put some thought into what you say (or do). That goes for life in general, not just posting on a forum. IMO people who "act before they think" tend to make more mistakes and have more regrets.

1. tab + enter Out of all the years I've been here, this is literally the first time I've seen this "tab+entering" come up. That makes you the vast minority and my opinion is that phpfreaks should not cater to individual user preferences. It's nothing personal... But even still, it were something worth changing, phpfreaks generally avoids hacking the forum software, as it creates a dependency on keeping up with the hack as new versions of the forum software is released. The better thing would be for you to go to the SMF community and voice your complaint there and see if they will change it in the core code. 2. "Lost" Post after posting. Yes, this is definitely annoying, I agree. If you are in the middle of posting and your login session times out, or if the thread gets moved, or if the edit window times out, you are kind of SoL a lot of times. Sometimes I can press the back button and retrieve it, sometimes I can't. I haven't really looked into why the inconsistency etc.. but I have gotten in the habit of habitually c/ping my post in a text editor before clicking any post/preview buttons if it's a longer post (like this one!). I do feel your pain on this count, as I often write tl;dr posts. However, as with #1, we generally avoid hacking the software, so you should really go to SMF community and appeal to them for a change to the core. 3. Short edit time You aren't the first person to bitch about this. I too find this annoying at times, especially since I am no longer staff and therefore this time limit applies to me, but overall IMO the decision for the time limit is sound. Feel free to search this forum for the many related posts, but the gist of it is that we have found 2 things happening with extended/unlimited post-editing times: a) Lots of users would post questions and then later delete them because they didn't want a paper trail of their noobness, be it for personal or professional reasons. To this we say tough shit. We are here to provide a learning resource. Allowing content to be removed goes against the principle of being a resource. If you do not like leaving a paper trail, then do not create one in the first place. It's just like real life: Once something comes out your mouth, you can't just take it back. We are not interested in covering up people's perceived misjudgments, noobness, etc... b) For "legit" edits: example "I typoed a line of code posted and I want to go back and edit it to fix it". We have found that there is a direct correlation between time of edit vs. original post, and confusion by other readers. This is a fairly active site, so at any given time, there are plenty of people reading threads. For people trying to follow along or help or be helped, it is better for them to read it as-is and you make an additional post with the correction, than to go back later and edit it. Even as early as 5 minutes later causes a lot of confusion, due to the rate of activity. Being more disciplined in proof-reading your stuff goes a long way in preventing the need to edit your post in the first place.

Okay so basically what is happening is your negative character class consumes anything that is not a forward slash or a dot, so it matches all the way up to that "/" in the "</embed>" and then it starts backtracking, giving up characters in the match, until it finds the last " it ran into, to satisfy that " you end your pattern with. Since you are replacing the value of width, and since the value is delimited by quotes, you should make your negative character class match for anything that is not a quote: preg_replace( '#width="([^"]+)"#', 'width="100%"', $flv); This will make it stop matching at the next " it finds.

Yes, several years ago we did have a karma/rep system in place. Basically what happened was instead of people using it to upvote/downvote posts based on usefulness of answer etc.. it was being treated as a popularity contest. People would give out positive or negative marks to people they did or didn't like, regardless of post content. Then people would constantly complain about not getting the positive mark for their post that was clearly the right answer, or complain about how they unfairly got some negative mark. We were not opposed to having a rating system in general, but since the system was clearly not being used as intended, we decided to ditch it. We've always been open for a solution that could be implemented that couldn't be so easily abused, but none have really came up since then. And..I have a sneaking suspicion that the karma/rep system in this new site renovation isn't going to be any different than any other existing karma/rep system, and therefore will be abused just the same, but whatever.

okay well it's possible that your host may not allow the mail() function to be used... in order for the mail() function to work, it needs to be mapped to a mail server. A lot of super cheap/free hosts do not allow this (they disable it) because it allows for spammers to go crazy. I suggest you talk to your hosting provider and find out if they support mail()

As far as the redirect: The only reason it would give that error is if the url you entered in for $redirect doesn't exist. That's what the error is telling you, that you are trying to request a page that doesn't exist. So you must have typoed the url or not using the correct path (or the page like..doesn't exist). As far as no email... What email address did you send it to? A lot of email providers like yahoo, gmail, etc... like to mark stuff as spam/junk...did you check your spam/junk/trash or any other email filter(s) you may have setup? Are you testing this on your own computer using WAMP or something, or are you testing this on a website somewhere with a mail server setup?

well did you actually change these 2 lines: $to = 'your email address here'; $redirect = 'url to redirect here'; to be the right values?

there was a small typo in the form. Was missing a closing quote (marked below as giant and blue): Subject: <input type='text' name='subject' /><br/>

Well...I'm not entirely sure if this will work or not, seeing as how link is in a java applet and I'm not sure how java applets really behave...but you can try <body onUnload="location.href=location.href;"> Though TBH, IMO it's still bad form to do something like this. Better to get the owner of the java applet to change their code or cut them from your site.

In the latest code you posted... a) you have the following added in there, which was intended as an example to illustrate a concept. You need to remove it: $price = explode($_GET['price']); echo $price[0]; echo "<br/>"; echo $price[1]; b) You somehow managed to lose the delimiter for the explode. This line: $price = explode($_GET['price']); should be $price = explode('-',$_GET['price']);

geez man, no offense, but you need to make a better effort here... if you are seriously struggling with something as basic as this...I mean again, no offense, but maybe coding just isn't your thing? you are passing your price range as a single "1-300" string. It's like saying "please give me thisandthis" instead of "please give me this and this". You need to split it up into individual variables. for example: $price = explode('-',$_GET['price']); echo $price[0]; echo "<br/>"; echo $price[1]; Do you see how those are two separate things now? Now you can do this: if( isset($_GET['price'])) { $price = explode('-',$_GET['price']); $query = "SELECT * FROM productfeed WHERE price between '$price[0]' and '$price[1]' LIMIT 0, 10";

Okay sorry, I guess I misunderstood your needs. Updated function, much simpler: /** * Function to find out whether or not a string falls within an alphabetical range * @param string $subject The string you want to test * @param string $min The start range to match against * @param string $max The end range to match against * @return boolean */ function isMatch($subject, $min, $max) { return ( (substr($subject,0,strlen($min)) >= $min) && (substr($subject,0,strlen($max)) <= $max) ); } // end isMatch 3 arguments: first one is the string you want to test, 2nd argument is the starting range, 3rd argument is the ending range. No passing arrays or hyphenated ranges or nothin'. Example 1: Check if 'something' falls between 'a' and 'z' echo isMatch('something','a','z'); // 1 (true) Example 2: Check if 'something' falls between 'a' and 'c' echo isMatch('something','a','c'); // 0 (false) Example 3: Check if 'something' falls between 'sa' and 'se' echo isMatch('something','sa','se'); // 0 (false) Example 4: Check if 'something' falls between 'sa' and 'sz' echo isMatch('something','sa','sz'); // 1 (true) Example 5: Check if 'cabinet' falls between 'can' and 'ciz' echo isMatch('cabinet','can','ciz'); // 0 (false) Example 6: Check if 'cell' falls between 'can' and 'ciz' echo isMatch('cell','can','ciz'); // 1 (true)

I have no idea what "resignation" means to you, so I can't really recommend a script for that. Do you mean "logout"? Do you mean some kind of script to unregister? Script to resign from a job or project or something? Be more specific. But anyways, there is no magic script out there that will magically work by just uploading it to your server. You're going to have to write from scratch or integrate it with the rest of your site. No offense, but there are some pretty easy to spot/simple errors in the script that you posted, and if you are not proficient enough to have caught them, I don't think you will be able to write one from scratch yourself or even integrate an existing system with your site. There are plenty of login/membership system code tutorials out there; I suggest you start there instead of trying to find some prefab solution if you really want to do it yourself. If not, then my best suggestion to you would be to hire someone to do it for you.

hmm I have thought of a potential flaw with the function, depending on what your actual need for this function is... Okay as mentioned, the way the function works is that it looks at the $search phrase you give it and compares it to the string/array you pass it, one array element per character if a range is given or block of characters if a literal string is given. So the question is, do you want to return true or false based on what would show up in like a dictionary listing, or do you want it to search for words based off matching ranges of each letter position specified? So In other words: Scenario 1: "In a dictionary, return for me all words that fall between "can*" and "ciz*". example:"cell" should fall between "can" and "ciz" alphabetically, but as-is, the function will return false, because that's not what the function is doing. Scenario 2: "return all words that start with 'c', followed by any one of these letters: 'a,b,c,d,e,f,g,h,i', followed by any one of these letters: 'n,o,p,q,r,s,t,u,v,w,x,y,z' ". This is what the function is currently doing. With "cell", the "c" is matched, then the "e" is matched from "a-i" but then "l" is not in the "n-z" range, so it returns false. So..do you see the difference? Which way were you wanting to do it?

That code has so many things wrong with it, too many to even bother...and it looks like outdated code on top of that...I suggest you go find a newer login script to use. Also, this isn't a regex question.