elis

Couldn't you use $_SERVER['HTTP_REFERER']; in your send_to_friend script, which would show the url the user clicked on to reach Send to Friend?

I haven't used this feature before so I'm unsure whether my syntax is correct (I'm assuming it isn't because of my errors.) I've searched around for the correct syntax to use, but haven't found it. Here's the error I'm receiving: and here is my code <?php require($configRoot); $import = mysql_query("LOAD DATA INFILE '$absolutePath/install/import/tables.sql'"); if($import) { $results[] = '<td align="center"><img src="images/tick.png"></td><td align="left">Imported database tables.</td><tr>'; } else { $results[] = '<td align="center"><img src="images/cross.png"></td><td align="left">Unable to import tables</td><tr>'; echo mysql_error(); } ?> I've tried using: $import = mysql_query("LOAD DATA INFILE '".$absolutePath."/install/import/tables.sql'"); and $import = mysql_query("LOAD DATA INFILE ".$absolutePath."/install/import/tables.sql"); but receive the same error.

Thank you, I'll try that

I'm trying to use sleep(); to delay my program for a few seconds. I haven't used it before so I may be misunderstanding how it works. What I wanted was a message to print, a pause in the script entirely, and then a second message to print. However what I'm getting is a pause and then both messages print. <?php if(isset($_POST['submit'])) { echo 'message 1'; sleep(5); echo '<br> message 2'; } ?> what I'm receiving is a five second pause after hitting submit on the form and then both messages print at the same time. I wanted a pause between them.

anyone at all?

I'm creating a PHP application for a friend and am providing an installation script (I might publicly release this application later which is why I'm concerned about security.) The application has an admin section, I was thinking of allowing the user to name where all of the admin files are stored instead of in a typical "admin" folder, and store what this folder is called in the configuration file. I know this isn't going to really deter hackers, but any steps to make it a little trickier might help. So my questions are: a) would this be a pointless step? Should I just use a pre-defined folder? b) if I do use this step, where should I store the folder name so that I can access throughout the script? I was thinking in the configuration file since it's located above the directory. c) does anyone have any additional security suggestions I should use? I think I have most measures covered, all user input is sanitized and a whitelist is used, but haven't figured a way to deal with session fixation.

<?php //Create a random 10-digit alphanumeric variable function randomgen() { $length = 10; $string = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $key = substr( str_shuffle($string), 0, $length ); return $key; } $filename = randomgen(); $file = fopen("$filename.html","w"); $body="<table width=\"75%\" cellpadding=\"2\" cellspacing=\"2\"> <td><b>First name: </b> ".$_POST['First_name']."</td><td> <b>Last Name: </b>" .$_POST['Last_name']."</td><tr>"; $body.="<td><b>Address</b> ".$_POST['Address']." </td> <td><b>City: </b>" .$_POST['City']."</td><tr> </table>"; echo fwrite($file,$body); fclose($file); ?> I haven't tested this though. There may be errors.

I'm not sure where this should go, so sorry if I've picked the wrong spot. Anyway, I'm using Acunetix to check for vulnerabilities on a web application I'm building (currently hosted on my computer as I want to fill in security holes before making it public) Anyway, Acunetix has taken over two days to "crawl" through my files. I have 1,500+ that are in my web application (this includes images, misc docs, I think most are coming from TinyMCE and other outside scripts I'm using). For those familiar with Acunetix WVS, is it supposed to take this long?

You need to tell the script to change the name of the text file each time it runs. The simplest way would be to generate a random name and append it to the file. i.e. <?php //Create a random 10-digit alphanumeric variable function randomgen() { $length = 10; $string = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $key = substr( str_shuffle($string), 0, $length ); return $key; } $filename = randomgen(); $file = fopen("$filename.txt","w"); $body = $_POST['First_name'] ."<br>"; $body .= $_POST['Last_name'] ."<br>"; echo fwrite($file,$body); fclose($file); ?> Regarding "John<br>Smith<br>" You've created a text file, it is not able to print in HTML. You would need to change the file extension, or change how you're inputting data into test.txt

I suggest using Tizag.com if you're a complete beginner. I found that that site better explains certain aspects of PHP for beginners than some other resources do.

Thanks for the tip!

I figured it out.

I'm trying to figure this regex stuff out, so I've consulted a few resources how to properly write one -- but as my script is no longer working, I suspect I have it wrong. I'm trying to make sure a variable contains the correct allowed values which are alphanumeric and a single underscore followed by the word "useruid": i.e. W2kyK8Etr_useruid So I've written this: <?php $allow = "^[a-zA-Z0-9]_{1}useruid$"; if(eregi($allow,$_COOKIE[$genkey."_useruid"])) { $cleanuid = $_COOKIE[$genkey."_useruid"]; } ?> But it isn't working because I am new to this regex thing and probably messed something up. Could someone spot my mistake?

Thank you, phpORcaffine. I'll try changing them to double quotes.

Here is a snippet of my code: <?php $contactname = db_escape_string(htmlspecialchars($_POST['name'])); $sentname = $user->name; $subject = db_escape_string(htmlspecialchars($_POST['subject'])); $body = db_escape_string($_POST['body']); //pulled in an earlier (not shown) query $contactemail = $rowA['contactemail']; $headers = 'From: ' . $user->mail . ' ' . "\r\n" . 'Reply-To: ' . $user->mail . ' ' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); $headers .= 'MIME-Version: 1.0' . "\r\n"; //prevent mail from going to spam folder $header .= 'Return-Path: ' . $user->name .' < ' . $user->main . '>\r\n'; $headers .= 'Content-Type: text/plain; charset="iso-8859-1"' . "\r\n"; $mailbody = $body; $mailbody .= '\r\n- ------ \r\n Lorem ipsum'; mail($contactemail, $subject, $mailbody, $headers); ?> I'm actually not that familiar with this, so excuse any stupid oversights on my part. The sending of mail works, however, I keep receiving this: Instead of When entering a new line (through hitting the enter key, not actually using "\n") in my form. I wondering what I'm doing wrong. Are my headers incorrect for what I want (simple text emails)? Is it just my email that's reading it wrong (gmail)? I tried setting my emails to HTML and using nl2br(); but the same problem occurred, but with "\r\n<br />" in the emails.

<form action="yourpage.php" method="get"> User: <input type="text" name="user" /><br /> <input type="submit" value="Submit" /> </form> If I understood what you were after, correctly.

Regarding sources to help you learn PHP, I would suggest using http://www.tizag.com/phpT/ which focuses on covering PHP in a way that's easily understood for beginners.

Try <form action="comment.php?user=<?php echo $_GET['user']; ?>" method="POST"> And for the attacks: http://en.wikipedia.org/wiki/SQL_injection

Try <?php $key = substr(md5(rand(0, 1000000)), 0, 10); //generates an alphanumeric code ?> and use $key wherever you want it to show.

<?php include("include/sesh.php"); $from=$_SESSION['username']; $to=$_GET['user']; $comment=$_POST['comment']; $query="INSERT INTO comments VALUES ('$to','$from','$comment', now())"); ?> This should work. I don't know the entire specifics of your code but (ideally) it should work. You need to sanitize your $_GET and $_POSTs to aid in preventing attacks on your site. You should also probably use an id in $_GET instead of the actual username, so that if a username contains spaces or other peculiar characters, or just for matching sake, it's more uniformed. You need to also pass your username to the form or use a hidden post. <form action="comment.php?user=<?php=$_GET['user']?>" method="POST"> <p>Comment<input type="text" name="comment"> <input type="submit" name="submit" value="Add Comment"> </form>

It looks like you've defined the function to add the comment into the database, but aren't actually using the function anywhere. (Unless it's used later on in your script.)

Um...Wordpress?

Quick question regarding Drupal, which is "better" (not the term I'm looking for, but hopefully the gist is understood) for writing PHP files within Drupal - creating a template and putting PHP in there, or writing PHP directly to a page in the admin of Drupal (and why)?

Ah, I see. I don't know how hiring people in that field would work in Israel, then if that's where you're currently located. You might want to shuffle through a few Israel-central job search websites and see what the typical requirements are for your career choice. If you're looking for a job in the U.S., then a college education is probably going to be preferred. Whether or not it will be a hard requirement is up to the individual employer. In regards to designing, I hate web designing; I probably wouldn't do it if designing were required. So no, web designing is not necessary (though I'm sure some employers would favor someone who could/would do both.) You do need to know basic HTML/CSS though, i.e. if you're running a loop in PHP and they want the results printed out in bold - then you should know the HTML bold tag or know how to create a table. The more you know won't hurt you. In regards to actually designing a site in Photoshop or Paint Shop (whichever is their poison of choice) and then coding it in HTML, and then making sure it's valid -- that isn't usually part of your job.

You could freelance without a degree. However, from my (little) experience, it seems that most companies that are actually employing someone want at least a bachelor's degree in CS or something similar. That's not in stone, of course. There are always exceptions. As for knowing CSS, you should understand the gist of it. You don't need to be a CSS expert, but you should be able to write in CSS if required.