elis

Couldn't you use $_SERVER['HTTP_REFERER']; in your send_to_friend script, which would show the url the user clicked on to reach Send to Friend?

I haven't used this feature before so I'm unsure whether my syntax is correct (I'm assuming it isn't because of my errors.) I've searched around for the correct syntax to use, but haven't found it. Here's the error I'm receiving: and here is my code <?php require($configRoot); $import = mysql_query("LOAD DATA INFILE '$absolutePath/install/import/tables.sql'"); if($import) { $results[] = '<td align="center"><img src="images/tick.png"></td><td align="left">Imported database tables.</td><tr>'; } else { $results[] = '<td align="center"><img src="images/cross.png"></td><td align="left">Unable to import tables</td><tr>'; echo mysql_error(); } ?> I've tried using: $import = mysql_query("LOAD DATA INFILE '".$absolutePath."/install/import/tables.sql'"); and $import = mysql_query("LOAD DATA INFILE ".$absolutePath."/install/import/tables.sql"); but receive the same error.

Thank you, I'll try that

I'm trying to use sleep(); to delay my program for a few seconds. I haven't used it before so I may be misunderstanding how it works. What I wanted was a message to print, a pause in the script entirely, and then a second message to print. However what I'm getting is a pause and then both messages print. <?php if(isset($_POST['submit'])) { echo 'message 1'; sleep(5); echo '<br> message 2'; } ?> what I'm receiving is a five second pause after hitting submit on the form and then both messages print at the same time. I wanted a pause between them.

anyone at all?

I'm creating a PHP application for a friend and am providing an installation script (I might publicly release this application later which is why I'm concerned about security.) The application has an admin section, I was thinking of allowing the user to name where all of the admin files are stored instead of in a typical "admin" folder, and store what this folder is called in the configuration file. I know this isn't going to really deter hackers, but any steps to make it a little trickier might help. So my questions are: a) would this be a pointless step? Should I just use a pre-defined folder? b) if I do use this step, where should I store the folder name so that I can access throughout the script? I was thinking in the configuration file since it's located above the directory. c) does anyone have any additional security suggestions I should use? I think I have most measures covered, all user input is sanitized and a whitelist is used, but haven't figured a way to deal with session fixation.

<?php //Create a random 10-digit alphanumeric variable function randomgen() { $length = 10; $string = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $key = substr( str_shuffle($string), 0, $length ); return $key; } $filename = randomgen(); $file = fopen("$filename.html","w"); $body="<table width=\"75%\" cellpadding=\"2\" cellspacing=\"2\"> <td><b>First name: </b> ".$_POST['First_name']."</td><td> <b>Last Name: </b>" .$_POST['Last_name']."</td><tr>"; $body.="<td><b>Address</b> ".$_POST['Address']." </td> <td><b>City: </b>" .$_POST['City']."</td><tr> </table>"; echo fwrite($file,$body); fclose($file); ?> I haven't tested this though. There may be errors.

I'm not sure where this should go, so sorry if I've picked the wrong spot. Anyway, I'm using Acunetix to check for vulnerabilities on a web application I'm building (currently hosted on my computer as I want to fill in security holes before making it public) Anyway, Acunetix has taken over two days to "crawl" through my files. I have 1,500+ that are in my web application (this includes images, misc docs, I think most are coming from TinyMCE and other outside scripts I'm using). For those familiar with Acunetix WVS, is it supposed to take this long?

You need to tell the script to change the name of the text file each time it runs. The simplest way would be to generate a random name and append it to the file. i.e. <?php //Create a random 10-digit alphanumeric variable function randomgen() { $length = 10; $string = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $key = substr( str_shuffle($string), 0, $length ); return $key; } $filename = randomgen(); $file = fopen("$filename.txt","w"); $body = $_POST['First_name'] ."<br>"; $body .= $_POST['Last_name'] ."<br>"; echo fwrite($file,$body); fclose($file); ?> Regarding "John<br>Smith<br>" You've created a text file, it is not able to print in HTML. You would need to change the file extension, or change how you're inputting data into test.txt

I suggest using Tizag.com if you're a complete beginner. I found that that site better explains certain aspects of PHP for beginners than some other resources do.

Thanks for the tip!

I figured it out.

I'm trying to figure this regex stuff out, so I've consulted a few resources how to properly write one -- but as my script is no longer working, I suspect I have it wrong. I'm trying to make sure a variable contains the correct allowed values which are alphanumeric and a single underscore followed by the word "useruid": i.e. W2kyK8Etr_useruid So I've written this: <?php $allow = "^[a-zA-Z0-9]_{1}useruid$"; if(eregi($allow,$_COOKIE[$genkey."_useruid"])) { $cleanuid = $_COOKIE[$genkey."_useruid"]; } ?> But it isn't working because I am new to this regex thing and probably messed something up. Could someone spot my mistake?

Thank you, phpORcaffine. I'll try changing them to double quotes.

Here is a snippet of my code: <?php $contactname = db_escape_string(htmlspecialchars($_POST['name'])); $sentname = $user->name; $subject = db_escape_string(htmlspecialchars($_POST['subject'])); $body = db_escape_string($_POST['body']); //pulled in an earlier (not shown) query $contactemail = $rowA['contactemail']; $headers = 'From: ' . $user->mail . ' ' . "\r\n" . 'Reply-To: ' . $user->mail . ' ' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); $headers .= 'MIME-Version: 1.0' . "\r\n"; //prevent mail from going to spam folder $header .= 'Return-Path: ' . $user->name .' < ' . $user->main . '>\r\n'; $headers .= 'Content-Type: text/plain; charset="iso-8859-1"' . "\r\n"; $mailbody = $body; $mailbody .= '\r\n- ------ \r\n Lorem ipsum'; mail($contactemail, $subject, $mailbody, $headers); ?> I'm actually not that familiar with this, so excuse any stupid oversights on my part. The sending of mail works, however, I keep receiving this: Instead of When entering a new line (through hitting the enter key, not actually using "\n") in my form. I wondering what I'm doing wrong. Are my headers incorrect for what I want (simple text emails)? Is it just my email that's reading it wrong (gmail)? I tried setting my emails to HTML and using nl2br(); but the same problem occurred, but with "\r\n<br />" in the emails.