dbillings

I only glanced at the code but I think using $array without the [] will only see it as a variable and change the value each time. You want to use $array[]. This will produce a true array with multiple values.

http://us2.php.net/manual/en/ref.math.php

Interesting.

Updated EZ_login ver. 10.1.2007 Includes features: IP banning, users online display, Super_admins, 4 security levels with easy clickable adjustments. Demo version registers users with admin privilages. check it out at http://www.dennisbillings.com//projects.php

If you have write permissions you can use this. http://www.dennisbillings.com/projects.php

I'm not sure if the admin privileges access was broken before you were working your magic or not.

I can block the full path disclosure by getting rid of my error reporting. I can stop the sql injections by creating better $_GET validation. I should use htmlspecialchars() on all my form data. How do I rid myself of the user enumeration problem and how did you give yourself admin privileges?

or htmlspecialchars

would php's strip tags be a good solution to stop cross site scripting?

? USA

Really never looked in this forum before and didn't know it was a hack my site into oblivion kind of thing. So we'll see what happens I suppose.

I've made an easy to configure and install login system with php. It has a configure file that initially needs edited then a setup.php page to run that creates a mysql table. Then you are off and running with a few includes. It has features like super admins, 4 levels of security, lists users currently online, ability to modify users access easily and it requires no programming knowledge to use. dennisbillings.com/projects.php

Thanks my brotha from anotha mutha. I'll give that a try.

I can't get my array's to echo. The diplay pukes out the following. IP: Array Unix: IP: Array Unix: <?php ############################## ### Users online script ### ver. 8/26/07 ############################## $ip = $_SERVER['REMOTE_ADDR']; $filename = "usersonline.txt"; if (is_writable($filename)) { $handle = fopen($filename, "r"); if (filesize($filename) > 0) { $contents = fread($handle, filesize($filename)); fclose($handle); } $handle = fopen($filename, "a"); $iptime = $_SERVER['REMOTE_ADDR']."@@@@".time()."****"; $seperate = explode("****", $contents); $remote_addr = array(); $time_out = array(); foreach ($seperate as $value) { list($remote_addr[], $time_out[]) = split('@@@@', $seperate); } if (count($remote_addr) == count($time_out)) { $counter = count($remote_addr); for ($i=0; $i < $counter; $i++) { // I cant' get this array to display. // Neither $remote_addr nor $time_out display. Any ideas? echo "IP: "; echo $remote_addr[$i]; echo " Unix: "; echo $time_out[$i]; echo " <br />"; } } if (fwrite($handle, $iptime) === FALSE) { echo "File: $filename cannot be written too."; exit; } fclose($handle); }else{ echo "The $filename is not writable."; } ?>

you could use ob_start() at the top of the page. then ob_end_flush() after your echo $row->image_thumb. P.S. Have never used output buffering before so don't attack me if I'm wrong, although I'm fairly certain it should work. <?php ob_start(); if(!isset($_GET['id']) || empty($_GET['id'])) { return; } require_once("db_config.php"); require_once("db_connect.php"); function mysql_smart_quote($var) { if (get_magic_quotes_gpc()) { $var = stripslashes($var); } if (!is_numeric($var)) { $var = "'" . mysql_real_escape_string($var) . "'"; } return $var; } $sql = "SELECT product_images.image_thumb FROM product_images WHERE product_images.id = " . mysql_smart_quote($_GET['id']); $result = mysql_query($sql) or die(mysql_error()); $row = mysql_fetch_object($result); header("Content-type: image/jpeg"); echo $row->image_thumb; ob_end_flush(); ?>

Yeah, 'i' is the ticket. <?php // The "i" after the pattern delimiter indicates a case-insensitive search if (preg_match ("/php/i", "PHP is the web scripting language of choice.")) { print "A match was found."; } else { print "A match was not found."; } ?>

I'm not following why you want the page to say htm either but you could make the page say .taco if you wanted to, but if the web server isn't set up to know that taco is an alias for php it won't work. You can't just use a standard old html page to run php. I think you simply have the links setup backwards the following will show logout if the session variable auth equals yes (I assume that means logged in.). Then if it doesn't equal yes it will provide the Sign In link. <? if ($_SESSION['auth'] == "yes"){ ?> <a href="index.php?page=logout">Logout[/url] <? }else{ ?> <a href="/index.php?page=sign_in">Sign In[/url] <? } ?>

htmlspecialchars() will allow you to display html tags and characters on the page. Barrands even better method highlight will provide the lovely blue,red,green and orange colors for the various php and html elements in the text. If your mysql data is returned exactly as you typed it it will produce... TITLE TUTORIAL STUFF

You haven't showed us the value of the variable returned from your mysql table. So we can't know.

in the same directory as the script you are trying to run should be a script called (I'm not sure if that DIR_WS_FUNCTIONS thing is part of the filename? From what I'm familiar with it would be but I could be wrong.) DIR_WS_FUNCTIONSfunctions_prices.php. It is telling you that it isn't there. Why isn't it there is what you need to find out. Where is it?

put the include in the spot where you have "somthing has to go in here to make the form appear". The include simply includes the form in the page and the contents "forum/form.php" is simply the location the form.php file is located on your web-server. Cut and paste this... report back your results. <?php include("http://www.brummiesfans.com/forum/form.php"); ?>

<?php sleep(20);//seconds to wait.. header("Location:http://www.domain.com"); ?>

In words that you can understand you will need to retrieve the encrypted password from the database via a mysql_query then take that result and plug it in to the $encrypted variable in the function i.e. <?php $encrypted = 12345678910; // imaginary mysql_result for $encrypted. $plain = $_REQUEST['password']; // users submited password from a form or possible a session. zen_validate_password($plain, $encrypted) /* This will inturn produce a result of true or false obviously true if the encrypted mysql_result matches the submitted users entry after encryption. So to use it in a conditional.... */ if (zen_validate_password($plain, $encrypted) { // do something you want accomplished after returning true. }else{ // do something if it returns false. } ?> God speed little doddle.

His tutorial is kind of crap, the drawHitpointBar($image, $hp) function magically transforms into paintHPBar($image, $hp), but the way you have your script posted it calls the function drawHitpointBar($image, $hp) before you define it. Even though the function changes to paintHPBar(). If PHP is what your interested in learning his tutorial is a little advanced and poorly written. Try w3schools.com

You're probably trying to include that script in another script that already sent the header.