MadTechie

Axeia covered the main one for SQL but for HTML injection (XSS) use htmlspecialchars()

why not use $XML = file_get_contents($url); then valid the $XML with $XML = file_get_contents($url); if (preg_match('/^<\?xml/s', $XML)) { echo "valid"; } EDIT: of course this is a simple check but you can expand it to check the XML is a RSS feed

Heres a list from other members of course check it one some allow you to see a phpinfo(); page

could you do an export from your photos table so i can test it here

Okay well that code will never work.. if you keep changing random parts this will never get resolved! your code should look like this $query= 'SELECT venue, address, date_1, time_1, date_2, time_2, date_3, time_3, date_4, time_4, host, host_email, venue_website, venue_phone, logo_image FROM Venues ORDER BY date_1 ASC LIMIT 0, 100'; $result = mysql_query($query) or die(mysql_error()); while($row = mysql_fetch_array($result)) { if (!empty($row['venue'])) echo "<b>".$row['venue']."</b><br />\n"; if (!empty($row['address'])) echo $row['address']."<br />\n"; if (!empty($row['date_1'])) echo $row['date_1']." "; if (!empty($row['time_1'])) echo $row['time_1']."<br />\n"; if (!empty($row['date_2'])) echo $row['date_2']." "; if (!empty($row['time_2'])) echo $row['time_2']."<br />\n"; if (!empty($row['date_3'])) echo $row['date_3']." "; if (!empty($row['time_3'])) echo $row['time_3']."<br />\n"; if (!empty($row['date_4'])) echo $row['date_4']." "; if (!empty($row['time_4'])) echo $row['time_4']."<br />\n"; if (!empty($row['host'])) echo "Host: ".$row['host']." "; if (!empty($row['host_email'])) echo "Host Email: ".$row['host_email']."<br />\n"; if (!empty($row['venue_website'])) echo $row['venue_website']."<br />\n"; if (!empty($row['venue_phone'])) echo $row['venue_phone']."<br />\n"; if (!empty($row['logo_image'])) echo $row['logo_image']."<br />\n"; //tried this to echo image but displays X image if(empty($row['logo_image'])) //debug { echo "<img src='admin/venues/files/noimage.gif'>"; // no image }else{ echo "<img src='admin/venues/files/{$row['logo_image']}'>"; // found image } echo "<img src='/venue/files/' ".$row['logo_image']." '>"; echo "<hr>"; }

See this problem before it was an issule with Internet Explorer 7, it only failed on 2 of 7 PC's one of them used FF and the we upgraded to 8 (it still failed) we down graded to 6, it worked, we installed 7 it worked.. we left it their lol

Heres an easy options pull the datetime out a unix (same format as time()) SELECT myDate, UNIX_TIMESTAMP(myDate) as myUnixDate FROM table etc etc your see that myDate is 2009-05-23 14:27:57 but myUnixDate is 1243085277 so you can still you the + 20 etc

can you post your latest code Viewimages.php and Showimages.php

your sending text, not HTML see example #4 of the php manual mail()

why not just do this UPDATE ".tbl_author." SET status = if(UNIX_TIMESTAMP(last_access)+(60*15) > NOW(),1,0) WHERE username='$username' AND password='".md5($passwd)."'

if you say so! EDIT: Oh you have updated it if ($postcommentq == true) { would be better as $postcommentq is true but 1 is also true so echoing $postcommentq would return 1 but if you done var_dump($postcommentq) your see its infact true

Forum Rules All request for code to be written for you should be posted under the freelance section. No exceptions.

it works out the start and end page. Oh and being rude will get less helps heres some php pagination also this should be in the "third party" section as you didn't write it yourself

Well you say your good with PHP so its kinda hard to say where your stuck this would be my basic steps Well first step is knowing the problem. first workout how to do it manually then break it down in to smaller steps #1 look at the form and write down fields are needed etc #2 create a script to build up that data and send a post request #3 check results/output #4 create a script to check for the conditions (ie new file to be added) and get that to create a log #5 test #4 check logs #6 put that script (#4) into a cron job, and check the logs #7 update #4 to use script from #2 #8 refactor code (clean up etc) hope that helps,

code looks okay but kinda need to see the form and php code that works with it!

I just gave up, hence

if the page is an index.php page then you don't need to use $_SERVER['PHP_SELF'] so header("Location: http://".$_SERVER['HTTP_HOST']); would be fine escaping it maybe an option ie $PHP_SELF = htmlentities($_SERVER['PHP_SELF']);

First off theirs no such thing as 100% secure, I just quickly read the script and wrote some notes, okay well the unless i missed something and providing your site is also secure it looks okay (a few things i would change) heres my notes hope they help storing the MD5 password in a cookie isn't a good idea, Why not have a session thats just set to true $_SESSION['allowUploads'] = true; //the the username or IP etc etc also $_SERVER['PHP_SELF'] can be used to inject HTML ie mypage.php?a=<script>alert('hello');</script> as for checking extensions, personally I use a MIME test as well! try to use long php tags <?php instead of <? for portability I don't like your random name idea $file_name[$i]=time()+rand(0,100000).".".$ext; Just say the random number is 60 then 55 seconds later someone gets a random number 5 So that i would change.

Sorry you took awhile to responde and i needed sleep okay.. it looks like you added some extra quote (also your line 15 isn't my line 15 change $query = "SELECT id FROM photos WHERE id='($IDS)'"; to $query = "SELECT id FROM photos WHERE id=($IDS)";

The && TRUE makes sure it used the MyNoImageImage.jpg, now thats showing you remove the && TRUE as you said you aree getting the same results thats to be expected as the data you posted has no image!

view the page "viewimage.php?id=1" in your browser if no image appears double check your code for viewimage.php

try this <?php include 'connect.php' $self = $_SERVER['PHP_SELF']; $query = "SELECT id, img_name, img_type, img_size, img_data FROM img_tbl ORDER BY id"; $result = mysql_query($query) or die('Error, query failed'); while($row = mysql_fetch_array($result)){ echo "<img src=\"viewimage.php?id=$row['id']\" width="55" height="55" /> <br/>"; } mysql_close($dbconn); ?>

update line 15 to mysql_query($query) or die(mysql_error()); to see the error

untested try this <?php // Connects to your Database $link = mysql_connect('localhost', 'user', 'pass'); mysql_select_db("database") or die(mysql_error()); ?> <?php include('header.php'); ?> <div class="contentwide"> <div class="contentwrap"> <form method="post" action="voted.php"> <?php $query = "SELECT id, name, url FROM photos ORDER BY RAND() LIMIT 3"; $result = mysql_query($query); while($row = mysql_fetch_assoc($result)) { ?> <input type="hidden" name="id[]" value="<?php echo $row['id']; ?>"> <div class="picturewrap"> <img src="<?php echo $row['url']; ?>" alt="<?php echo $row['name']; ?>" /> <div class="formwrapper"> <input type="radio" name="images[<?php echo $row['id']; ?>]" value="spoon"> </div> <div class="formwrapper"> <input type="radio" name="images[<?php echo $row['id']; ?>]" value="folk"> </div> <div class="formwrapper"> <input type="radio" name="images[<?php echo $row['id']; ?>]" value="knife>"> </div> </div> <?php } ?> <div class="submitform"> <input type="image" src="images/button_submit.jpg" class="button_submit" value="Submit"><br/ > </div> </form> </div> </div> <?php mysql_close($link); ?> <?php include('footer.php'); ?> <?php $IDS = implode(",",array_keys($_POST['id'])); //security filters $IDS = preg_replace('/[^,\d]/s', '', $IDS); $valid = array("spoon","knife","fork"); $query = "SELECT id FROM photos IN ($IDS)"; $result = mysql_query($query); while($row = mysql_fetch_assoc($result)) { $images = mysql_real_escape_string($_POST['images'][$row['id']]); if(!in_array($images,$valid)) die("ERROR"); $update = sprintf("UPDATE photos SET {$images}_votes={$images}_votes+1 WHERE id=%d LIMIT 1",$row['id']); mysql_query($query); } ?>

if (isset($_POST['savedata']) || isset($_COOKIE['savedata'])) { setcookie("savedata", true, 0, '/', FALSE); setcookie("testtext", $_POST['testtext'], 0, '/', FALSE);