volatileboy

I can't help you much with this but you need to be using preg_replace because if im not mistaken str_replace will only replace an exact string match

So as far as damage goes it is limited to a javascript insertion, cookie and session stealing, files cannot be modified, php code inserted or anything like that?

Hey people, I was going over an old script of mine the other day and I ran I web vulnerability scanner on it to see how secure it was and I got an XSS warning, now this puzzles me because I am not entirely sure how this affects the script and what can/can't be done, this script is old so I will paste the relevant bits in here, it was playing with the $page variable. What damage could you do and how would you remedy the problem? if(isset($_GET['page'])) { if($_GET['page'] > $numpages) { $page = 1; } else { $page = $_GET['page']; } } else { $page = 1; } echo ('<strong style="margin-top: 4px; margin-left: 3px;">Page ' . $page . ' of ' . $numpages . '</strong></p>'); By putting a non-number in there like hello.php?page=Hello, it simply output the word hello so I am not fully sure what the security implications are and how insecure it really is. Might sound like a dumb question but it's been nagging at me. Thanks for reading!

Well for starters your form tag need an action parameter, this is why the page is just reloading

'<a href="page.php">' . $row["lname"] . '</a>'; Is that what your asking about?

"UPDATE table_name SET column_name='$newValue' WHERE id='$id'";

Nevermind I solved it, I was using square brackets around the domains. The expression may not be sufficient still though, if anyone has any flaws to the above method that I should know about then please let me know. Thanks!

Hey peeps got a quick question, basically I am trying to strip the domain part from a url so the bit I am after would be "domain.com", I have wrote an expression to match it and it seems to work (havent thoroughly tested it). When I output the $matches variable when testing on "http://www.yahoo.com" it only outputs www.y which I cant understand, any help is appreciated. Here is the code I am using: $domains = 'com|net|org|me|co|info|mobi|tv|us|biz|cm|co.uk|cc|ca|eu|tel|nu|in|aaa.pro|aca.pro|acct.pro|asia|avocat.pro|bz|ws|ac|am|at|bar.pro|be|br.com|cn|cn.com|co.nz|com.cn|com.co|com.mx|com.tw|cpa.pro|de|de.com|eng.pro|eu.com|fm|gs|hu.com|idv.tw|it|jp|jur.pro|kids.us|la|law.pro|me.uk|med.pro|ms|name|net.cn|net.co|nl|no.com|nom.co|org.cn|org.nz|org.tw|org.uk|pro|qc.com|recht.pro|ru.com|sa.com|se.com|se.net|sh|tc|tm|tw|uk.com|uk.net|us.com|uy.com|vg|za.com'; $domains = str_replace(".", "\.", $domains); $pattern = '/[a-zA-Z0-9]{2,100}\.[' . $domains . ']/'; $test1 = "http://www.yahoo.com"; if(preg_match($pattern, $test1, $matches)) { echo 'Test 1 is okay<br />'; echo $matches[0] . '<br />' . $matches[1] . '<br />' . $matches[0][0] . '<br />' . $matches[0][1] . '<Br />' . $matches[1][0] . '<br />' . $matches[1][1] . '<br />' . $matches[2][0] . '<br />' . $matches[2][1] . '<br />' . $matches[2][2]; } This is my test code, it output the following: Test 1 is okay 1 www.y w w

I am not sure exactly what the problem is but I very much doubt that it is PHP related, I have experienced problems with the mail function in the past and it happened to be that the mail server was not reverse DNS configured so mail to external servers were never recieved.

I dont think asking people to read through all of your code to fix it is the right approach my friend!

If you know the incoming variable (box) why do you need to pass it to reuse it when you already know what it is

$pattern = '/[0-9]{1,3}\.[0-9]{6}/'; This pattern appears to work okay, glad to see I wasn't too far away!

Thanks for your help, ill get on it =)

That should work yes, its hard to say why its not working without more info on the problem but array($var, $var) is valid

Hey guys I am not very experienced with regular expressions, nor do I understand the syntax very well, I am trying to write a pattern to validate a longitude or latitude value, the valid formats would be: 123.123456 12.123456 1.123456 So basically a 1 or 3 digit number, followed by a period, followed by 6 numbers 0-9, the pattern I came up with is below but it does not seem to work propperly: $pattern = '/^[0-9]{3}\.[0-9]{1}/'; I hope someone can assist me, thanks for reading!