Psycho

No they ARE needed. d+1 = the value of the option and d is the index of the value. Indexes start at 0 so in a numerical list that starts at 1, each items index will be 1 less than the value.

A complete explanation of how it works can be found here (where I got it from): http://snippets.dzone.com/posts/show/2099 I should have linked it in my above post. Um, those variables tell me what the field IDs are for the day, month & year fields. You need those to do what it is you want to do. I always try to make my code modular by not hard coding variables into them. By passing the IDs I could use this function on another page with little to no modification. The first line create a new option to be added to the select list and the second line adds it. It could be written as one line daysObj.options[d] = new Option(d+1, d); That code is in place because if the use changes from a month with less days to a month with more days you need to add the appropriate options back.

1. Give all your fields an ID 2. Write out 1-31 options for the days field 3. Give the month field an onchange event 4. Change the values for the month options to numerical values <select name="month" id="month" onchange="getdayFeb();"> <option value="1">January</option> <option value="2">February</option> <option value="3">March</option> <option value="4">April</option> <option value="5">May</option> <option value="6">June</option> <option value="7">July</option> <option value="8">August</option> <option value="9">September</option> <option value="10">October</option> <option value="11">November</option> <option value="12">December</option> </select> <select name="day" id="day"> <?php for($day=1; $day<=31; $day++){ echo "<option value=\"$day\">$day</option>"; } ?> </select> <select name="year" id="year"> <?php $thisYear = date("Y"); while($thisYear >= 1900){ echo "<option value=\"$thisYear\">$thisYear</option>"; --$thisYear; } ?> </select> Add these two JavaScript functions to the head of your page function daysInMonth(iMonth, iYear) { return 32 - new Date(iYear, iMonth, 32).getDate(); } function getdayFeb(dayID, monthID, yearID) { var month = document.getElementById('month').value - 1; var year = document.getElementById('year').value; var daysObj = document.getElementById('day'); var days = daysInMonth(month, year); if(daysObj.options.length>days) { daysObj.options.length = days; } else if(daysObj.options.length<days) { var option; for(var d=daysObj.options.length; d<days; d++) { option = new Option(d+1, d); daysObj.options[d] = option; } } }

There are several problems with what you are trying to do. 1. You should write the options out before the javascript is run. Otherwise any user without JavaScript enabled will not be able to use your form 2. You need to execute the function onchange() of the month field. 3. The function currently "writes" to the page - so if you did call it onchange it would wipe out the entire page. I'll post some code is a bit

I still disagree. IMHO, a form validation should be completely modularized into the different validations such that they can be easily reused. The main function that is called upon submission would simply call the various validation functions (e.g. isEmail(), isEmpty(), etc.). It would be fairly simple for someone to pick up and reuse on another form with little modification - just call the appropriate funstion(s) for each field. That's the whole point - I don't want to rewrite code if I don't need to.

Well, for the most part, JavaScript is dependant on the site, so it's not like you can just copy some JavaScript, slap it on your site and it'll work. For those people who don't know how to code, it wouldn't matter. I could apply the proper indentation and those people will still not understand it. But for those who know JavaScript, they would just write their own. I disagree. If Java Script (or any code) is properly written it should be able to be used on other sites/applications with little to no modification. If that is not the case, the person writing the script is doing themself a disservice in writing non-modularized code. But, to answer your questions, people may compact the code to run faster or as a simple means of obfruscating the code (i.e. making it hard for others to read) to protect it. But, just as theri are tools to do this for you there are others to reverse it. There are some that even go as far as transcoding characters into equivalent character codes making it even more difficult (but not impossible) to reverse engineer. The bottom line is that you cannot "protect" your javascript code. You can take steps to make it harder for someone else to use, but that also introduces problems in maintaining the code as well. I think obfuscation was the intent of the code posted above.

I would find it extremely unlikely that there are any collisions in their database. Sites such as those use common words or phrases (and combinations of those) to build thier lookup list. If you calculated the total number of possible hashes you would find that the total number of permutations is much larger than the number of combinations of limited strings on the order of many, many magnitude. Most MD5 reverse lookups use strings that would reasonably be used as a password, i.e. up to 20+ characters). The only examples I have seen where collisions have been proved are using PDF documents with thousands upon thousands of characters in length (in the actual source code, not the PDF displayable content).

I just realized I should have added a break statement if a match is found since there would be no reason to check and additional rows after the first match is found. var newResourceName = clonedParent.getElementsByTagName('td')[0].firstChild; for(var i=0;i<cartRows.length; i++) { var resourceName = cartRows[i].getElementsByTagName('td')[0].firstChild; var duplicate = false; if (resourceName == newResourceName) { duplicate = true; break; } } if (duplicate) { alert("You may only pick a resource once."); } else { cartTable.appendChild(clonedParent); }

var newResourceName = clonedParent.getElementsByTagName('td')[0].firstChild; for(var i=0;i<cartRows.length; i++) { var resourceName = cartRows[i].getElementsByTagName('td')[0].firstChild; var duplicate = false; if (resourceName == newResourceName) { duplicate = true; } } if (duplicate) { alert("You may only pick a resource once."); } else { cartTable.appendChild(clonedParent); }

Um, say what? The OP asked about finding the index for an item in an array. strpos() is, obviously, for strings. Try this $index = array_search($array, max($array));

I think this is what you want. May not be the most compact/efficient code but I was only interested in getting this to work. It will reduce the image until one axis is exactly the same size as one of the target dimensions and the other dimension is bigger than the target. It will then crop the other dimension to fit the target. <?php function fitImageToSize($filename, $width_new, $height_new) { $src_x = 0; $src_y = 0; //Get dimensions of original image list($width_old, $height_old) = getimagesize($filename); //Resize & crop image based on smallest ratio if ( ($width_old/$height_old) < ($width_new/$height_new) ) { //Determine Resize ratio on width $ratio = $width_new / $width_old; //Detemine cropping dimensions for height $crop = $height_old - ($height_new/$ratio) ; $height_old = $height_old - $crop; $src_y = floor($crop/2); } else { //Detemine Resize ration on height $ratio = $height_new / $height_old; //Detemine cropping dimensions for width $crop = $width_old - ($width_new/$ratio); $width_old = $width_old - $crop; $src_x = floor($crop/2); } $image_old = imagecreatefromjpeg($filename); $image_new = imagecreatetruecolor($width_new, $height_new); imagecopyresampled($image_new, $image_old, 0, 0, $src_x, $src_y, $width_new, $height_new, $width_old, $height_old); return $image_new; } $new_image = fitImageToSize($uploadFile, 100, 75); // Output header('Content-type: image/jpeg'); imagejpeg($new_image, null, 100); ?>

As flyhoney stated htmlenteties() should be sufficient. But, to answer your question... stripslashes() removes backslashes - e.g. "\". A URL uses forward slashes (e.g. "/") and would not be affected by the stripslashes() function. RTFM

Well, let's just agree that we will disagree then. You are right in that there is nothing inherently wrong with your approach. My problem with writing the javascript using PHP leads to problem with following quote marks and ensuring they are escaped (and in some cases double escaped) as needed. I don't see how my apprach leads to any more work. The last code I posted gave an example of how the Javascript can be created outside the PHP tags and just include the variable content as needed. In my opinion it is much easier to control. But, it's your code. However, if you are going to write the javascript using PHP echo's, why are you using single quote marks to echo the code and then having to exit out of quote marks to append the variables. Just use double quotes and include the variable inside the quote marks. Much more efficient and easier to read I think //Single quotes echo 'This car is ' . $color . ' and gets ' . $mpg; //Double quotes - easier to read echo "This car is $color and gets $mpg"; Okay, after taking another look at the code I do see the error. And it is a combination of two of the problems I identified - primarily an issue with the escaping of quot marks and also the fact that you are writing a select field using innerHTML! If you had taken my approach the problem would have been self evident. Or at the very least, you should have been looking at the HTMNL source of the processed page. The rendered Javascript (based on the code above) will look something like this (put in quote tags so I can highlight the specific problem): In the resulting JavaScript you start declaring the code to write into the DIV using innerHTML using a single quote (blue). But, within that code you are creating a parameter that is also declared with single quotes (red). So, when the javascript gets to the first red quote it thinks that is the end of the content to assign to the innerHTML value. If you want to keep the code as you currently have it you will need to "double" escape those red quote marks. This gets very tricky and gets error prone which is why I suggest you don't do it that way. To "double" escape it, that line would look something like this in the PHP file: <SELECT NAME="BG" ID="BGChooser" onchange="changeimg(this, \\\'Card\\\');"> Although I don't know why you want to make it hard on yourself. Just declare the Javascript outside the PHP tags and it is so much easier to create and maintain.

I just noticed your other two functions Change1() and Change2(). Using javascript to insert a select list via innerHTML is probably not the best choice. I would recommend just changing the style to hide/unhide the select list.

I already told you what I thought the problem was before - a mismatch of escaped quotes between PHP and JavaScript. And I stated that was the reason why I recommend that you do not write JavaScript from within PHP and gave a perfectly acceptable method of making the javascript variable using PHP without the problems of escaping the quotes. Then you go and take the code I provided and reverse engineer it back to how you were trying to do it before and you have created the same problems as before. Now the code is much more difficult to read than what I provided. Plus, you didn't use the rawurlencode() which would fix the other possible problem of invalid characters int he URL. I wish you all the luck, but if you don't want to bastardize the solution I provided and it doesn't work, I'll just recommend you to use it as provided.

I'm not saying that is the only risk. I was only giving one possible risk. All it takes is a little thought to look at how your files are used and to prevent malicious use.

Let's assume you have the following directory structure and files. ROOT/ - index.php ROOT/USER_FILES/ - uploader.php ROOT/INCLUDES/ - foobar.php[code] The application allows users to create their own personal folder in the "USER_FILES" directory to put their personal files. Now, let's assume that index.ph and uploader.php have content such as follows: index.php [code]include('USER_FILES/uploader.php'); uploader.php include('INCLUDES/foobar.php') When index.php is called it will include uploader.php. Then the include is called in uploader.php the path is relative and it will be relative from the parent script. So the path 'INCLUDES/foobar.php' will point to the intended file as expected. OK, there are problems with that structure above. Let's suppose a user creates their personal folder and names it 'INCLUDES' (ROOT/USER_FILES/INCLUDES). Then the user creates a file called foobar.php with malicious code. If the user can then directly call the uploader file, when it sees include('INCLUDES/foobar.php') it will be relative to the uploader.php file since it is the parent script and it will then include the malicious file the user created and uploaded. Now, all of this assumes that the developer did a LOT of things wrong. A couple are: - User files should be stored in a protected area outside of any application files and definitely not in a web accessible directory. - If a file is only supposed to be included by another file (such as uploader.php in the example above) there should be some code at the top of the script to prevent direct running of the file and/or put in a directory that is not web accessible

It isn't all that hard. It isn't like the vulnarability magically happens. For RFI to occur the code has to allow a file inclusion which is in some way affected by user input. So, if you had something like this include('myfile.php'); there is little to no risk as the include file is hard coded (see note at end). However, if you had something like $page = $_GET['page']; include($page.'.php'); That is trouble waiting to happen. Whenever there is a need to use user input to decide on an include page it should ALWAYS be validated. If for instance you know that the $page value will only consist of three possibilities you could test the value against a white list of those values. If the passed value is not in that list have error handling or choose a default. $pages = array('pageone', 'pagetwo', 'pagethree'); $page = $_GET['page']; if(!in_array($page, $pages) { $page = $pages[0]; } include($page.'.php'); Of course, the actual implementation could be more complex than a simple hard coded list. But, you should still have some way to validate that the values being passed are what you expect. The bottom line is NEVER trust anything the user sends you. For example, one common misconception I see is that POST data from a select list doesn't need to be validated because the user can only select a value from that list. That's not true, and again, should always be validated. Regarding the previous statment that a hard-coded include is relatively safe, there are instances where it could be unsafe. But again, they are easily mitigated by a little thought. An example would be where the include() is on a page which itself is included so that the path to the include file is relative to the parent script. It would be possible to have the page include a file with the same name if it was accessed directly. But, that would only be if the user has the ability to upload a file to that specific path relative to the calling page. Some basic good file file structure would prevent this possibility.

I did notice one thing which I wouldn't think would be the problem (it would either work consistently or fail consistently), but you never know echo"<input type=\"hidden\" name=\"tag_name[$i]\" value='".$row['tag_name']."'></input>"; Input tags do not have an opening and closing tag, just a single tag with a space and slash at the end for proper HTML: echo"<input type=\"hidden\" name=\"tag_name[$i]\" value='".$row['tag_name']."' />"; here are some other observations: For the INSERT to occur the field 'set_options' must also be posted and the field 'c_options' must be present and not equal to "". Looking at the rest of the code, I would assume that is the case - but are you initiating the POST from this page or is there another page that also POSTs to this page which may not have those fields on it? 'set_options' is created as a hard-coded hidden field, so shouldn't be any problems there. But, 'c_options' is dynamically created. Are all those options present on the first load of the page? I would try to offer more help but your code is really hard to follow. By the way, this is an odd way to do this test if(!$_POST['c_options']=="") I would suggest this if($_POST['c_options']!=="")

"It didn't work" is not helpful. I did notice that I forgot to finish formatting the last two lines that generate the newSrc value. Also, I found that trying to do a += to a variable that has not yet been assigned a value results in "undefined" being added to the beginning. I have made the corrections below. However, you need to realize that if ANY of the values you are using have values that are not appropriate for a URL (e.g. spaces and some special characters) it will also fail. So, I also added rawurlencode() to each of the variables being written. The below code is a complete page that shows the code working. Instead of actually changing the src of the target object I am printing the result tothe page so you can see what is happening. Just uncomment the line before and remove the line that prints the code to the page for actual implementation <?php $UserName = "MJones"; $UserPosts = "25"; $PersonalText = "TheText"; $Website = "www.domain.com"; $UserAvatar = "MyAvatar"; $Group = "TheGroup"; ?> <html> <head> <script type="text/javascript"> function changeimg(selObj, targetID) { //Generate the background source URL var newSrc; newSrc = 'http://craigh.tlcrepair.net/ConsoleCard/ConsoleCardTwo/index.php'; newSrc += '?UserName=<?php echo rawurlencode($UserName); ?>'; newSrc += '&Posts=<?php echo rawurlencode($UserPosts); ?>'; newSrc += '&PS=<?php echo rawurlencode($PersonalText); ?>'; newSrc += '&Site=<?php echo rawurlencode($Website); ?>'; newSrc += '&Av=<?php echo rawurlencode($UserAvatar); ?>' newSrc += '&Group=<?php echo rawurlencode($Group); ?>' newSrc += '&BG=' + selObj.options[selObj.selectedIndex].value; //Set the target source //document.getElementById(targetID).src = newSrc; document.getElementById(targetID).innerHTML = newSrc; return; } </script> </head> <body> <SELECT NAME="BG" ID="BGChooser" onchange="changeimg(this, 'Card');"> <OPTION VALUE="0">Choose a Background...</OPTION> <OPTION VALUE="0">None</OPTION> <OPTION VALUE="1">Little Big Planet</OPTION> <OPTION>Other Background</OPTION> </SELECT> <DIV id="Card"></DIV> </body> </html>

This is your problem return $content; Why do you have a return in the middle of your script outside of any function or construct where it would make sense? Not sure what you expect to happen here, but according to the manual: http://us.php.net/manual/en/function.return.php If called from within a function, the return() statement immediately ends execution of the current function, and returns its argument as the value of the function call. return() will also end the execution of an eval() statement or script file. So, once the script hits that return command it stops executing any more code - including the echo at the end to display the page.

Well, I would first suggest rewriting the code so it is more readable. In my opinion a line of code should not be so long that you can't immediately tell what it is doing. Second, that code is "out of context". It is apparent that it is being written within PHP, yet is presented outside the actual PHP code that is writing it. So, it is difficult to determine exactly what the problem may be. Wither post the code showing how PHP is writing it OR just post the code that is rendered in the HTML. I think the problem has something to do with the escaping of quote marks. When writing JavaScript within PHP trying to track the correct escaping between the two can get confusing making it easy to make mistakes. If I need to insert variable content within JavaScript using PHP I typically write the JavaScript as plain HTML in the page (i.e. outside PHP tags) and just insert the variable content where needed. I would also change the function to accept a parameter for the select object rather than hard coding the reference in the function. Makes your code much more reusable. HTML (notice the (this) and ('Card') in the onchange call) <SELECT NAME="BG" ID="BGChooser" onchange="changeimg(this, 'Card');"> <OPTION VALUE="0">Choose a Background... <OPTION VALUE="0">None <OPTION VALUE="1">Little Big Planet <OPTION>Other Background </SELECT> Server-side script function changeimg(selObj, targetID) { //Generate the background source URL var newSrc; newSrc += 'http://craigh.tlcrepair.net/ConsoleCard/ConsoleCardTwo/index.php'; newSrc += '?UserName=<?php echo $UserName; ?>'; newSrc += '&Posts=<?php echo $UserPosts; ?>'; newSrc += '&PS=<?php echo $PersonalText; ?>'; newSrc += '&Site=<?php echo $Website; ?>'; newSrc += '&Av=' .$UserAvatar newSrc += '&Group=' .$Group newSrc += '&BG=' + selObj.options[selObj.selectedIndex].value; //Set the target source document.getElementById(targetID).src = newSrc; return; } EDIT: Added the targeteID reference for the function Also, I notice teh select field has an 'other' option with no value. The function currently wouldn't handle that. I assume you are aware and just haven't added that functionality yet.

To hopefully give a littel more insight, I'll give a couple examples. 1) User access your form which has javascript to prevent certain characters in the username and will prevent form submission with a friendly error message. Good right? Ok, then the user access the browser options and turns off JavaScript. User is now able to enter anything they wish and submit the form. Uh oh! 2) You have the above code, but implement some additional JS so that the form can't even be submitted without JS enabled. Of course this may block a small number of potential users, but that's OK since you will be protected from hackers, right? Nope. A malicious user can simply view/copy the source code for your page and recreate the form himself without any javascript and ensure it can be submitted with whatever values they want. As stated above, you must always validate user input on the server-side. JavaScript provides a nice way to give the user immediate feedback without having to submit a form. But even if you have javascript validation, all bets are off once the form submission is received.

There is still another problem. In the script that checks for availability you are doing two checks. The first checks for a specific user name (makes sense). I'm not even sure what the second check does. Based upon the logic it checks if the username being checked is the LAST username in the results of the last query. I see not value in this check. Anyway, you have two IF/ELSE checks that will both output "no" or "yes". So the result from that script will always have TWO responses that are concatenated together and will be one of the following - nono - noyes - yesno - yesyes Then in your JavaScript code you only check to see if the result is "no". If so then it states the username is unavailable. Otherwise it states the username is available. 1. First fixe the script to ONLY output a "true" if the username is OK to use and "false" otherwise (true/false is a better programming standard than yes/no) - without the duplication. 2. Change the JavaScript to look for a positive response to show the username is available, and make the unavailable response for the "else" condition. The way it is currently coded if there is an error in the script it will show the username as available. Or, alternatively, you could have three conditions: 1) true - username is available, 2) false - username is not available, 3) "Else" - any thing not a yes or no will result in an apropriate erro message being displayed. In any case - test your server-side script before trying to implement the AJAX call. If you did I'm sure you would have uncovered several of these errors already.

You are putting the variables in the wrong order. A simple look at the manual for mail() would have made that clear. I don't see why you would make the assumtion to add the name after the subject in any event. In any event you don't state what name you are trying to use. Are you wanting to add a name for the sender or the recipient. If you want the name to appear for the recipient it needs to be included with the email address as the first paramater like this: John Doe <john.doe@example.com> If you want the name to appear for the sender, it is in the same format, but it included as part of the second to last parameter which is for the additional headers and can include additional information: FROM: John Doe <john.doe@example.com> Take a look at the manual for more info: http://us.php.net/manual/en/function.mail.php