PFMaBiSmAd

The section in the documentation that describes how to handle uploaded files using php would be your first step - http://us2.php.net/manual/en/features.file-upload.post-method.php

Read the error: You would need to determine what index.php is doing on (or up to) line 11 that is producing output and either eliminate it (assuming it is unintentional) or rearrange your logic (assuming the output is intentional) so that the output occurs after the header() statement or the header() statement is before the code sending the output.

http://dev.mysql.com/doc/refman/5.0/en/user-variables.html

The 'test' that XSS Me does is to check if what it submits is output on the resulting page. A true test would be, does the submitted 'dangerous code' get saved somewhere on your site and is then output as content on a page so that other visitors to your site will end up having the dangerous code executed in their browser?

func_get_args is a function and must be called correctly - $images = func_get_args(); You should be developing and debugging php code on a system with error_reporting set to E_ALL and display_errors set to ON in your master php.ini so that php will help you find errors in your code like the above. You will save a ton of time. Your code will be greatly simplified if you use an array - see example #3 at this link - http://us2.php.net/manual/en/features.file-upload.post-method.php

To get the actual row (so that you would get the correct information from other columns in it, like the price or an id) holding a specific value (max, min...) for a group, see this link - http://dev.mysql.com/doc/refman/5.0/en/example-maximum-column-group-row.html

As you can imagine, the word database probably has significance to a database - http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html If you truly have a column named database, you must enclose it in back-ticks ` so that it will be treated as an identifier instead of a reserved keyword.

You are likely getting a fatal runtime error at the filter_var() instruction. Are you developing and debugging php code on a system with error_reporting set to E_ALL and display_errors set to ON in you master php.ini so that php would display all the errors it detect? You would save a ton of time.

Since trigger is a reserved mysql keyword, it would need to be enclosed in back-ticks ` for it to be treated as an identifier.

That would imply that trigger is not a column in your table. What does echoing mysql_error(); show?

The error message means that the $dbhost name you are using is not that of an actual mysql server. On shared web hosting it will be something like mysqlx.yourwebhost.com You would need to check with your web host to be sure what it is on your server. Your database management tool (where you created the database, username, and password) typically displays the correct mysql server host name to use in the connection.

It suppresses the error message. The code still has an error, but with the @ the error message is not produced and your code still does not work. With full php error_reporting/display_errors turned on you would have gotten a fatal runtime undefined function error message that would have alerted you to where and what the problem was.

What is your code for a user written function named mysql_query2? That that is supposed to be the built-in function mysql_query(), then please DON'T ever put @ in your code to suppress error messages. You should have display_errors turned ON for development and turned OFF for a live server, so there is absolutely no reason to put @ in any code to suppress error messages.

And since the error message states where the output is occurring at that is preventing the headers from working - You would need to determine what connection.php is doing on line 17 that is producing output and either eliminate it (assuming it is unintentional) or rearrange your logic (assuming the output is intentional) so that the output occurs after the header() statement or the header() statement is before the code sending the output.

The posted code is way out of date. It is dependent on register_globals being on to magically populate program variables form the $_POST data. register_globals were turned off by default in php4.2 in April of the year 2002, over 7 years ago. Since register_globals have been complete removed in php6, you would need to update the code for it to be usable with register_globals turned off in all current versions of php and removed in future versions.

emailid in the URL ?emailid= is not the same as emailID in $_GET['emailID']

A) Which of the two possible queries are failing, B) Is emailid a string data type, which would mean that the value you are comparing with it would need to be enclosed in single-quotes, and C) Posting the actual error message would help.

Replace "vote again" an the following link with "continue trying passwords" - http://www.phpfreaks.com/forums/index.php/topic,276805.msg1309214.html#msg1309214 The data in the session might be secure but a hacker can drop the current session (thereby clearing the failed login in count) and just keep trying passwords until he finds one that works.

The \ characters are not present in the database. The \ characters are only present in the query string so that any special sql characters don't break the sql syntax of the query.

You are also not echoing anything in your action="..." attribute (do a view source in your browser to check.) Fortunately, an empty attribute means the 'same page'.

http://www.phpfreaks.com/forums/index.php/topic,276805.msg1309214.html#msg1309214

Please take this in a humorous way, but neither of those statements are 'programming' terms. Computers only do exactly what their code and data tells them to do, so "I'm not sure" and "I think so" don't work in programming. You must be sure and you must know what your code is doing with your data.

In most programming languages ^ is not a math operator. Specifically, in javascript, it is Bitwise XOR.

When any kind of comparison fails, in this case it is a WHERE clause in a query, you must troubleshoot why it is failing. Look directly in your database table using your favorite database management tool and confirm that the username you are entering is correct and that value from md5($_POST['pass']) matches exactly, down to the last character, what is stored in the table.

There is nothing wrong with the posted statement and it works in FF. Best guess is that you are looking at an old existing cookie that has already expired and that the setcookie() statement you posted is not being executed or is not sending the cookie due to a header error.