MadTechie

Oppps, noticed that the input boxes were hidden..... so see update.. also change hidden to text while testing.. <?php $mysite_username = $_COOKIE["mysite_username"]; $conn = mysql_connect($server, $db_user, $db_pass) or die ("could not connect to mysql"); #Connect to mysql $rs = mysql_select_db( $database, $conn ) or die ("Could not select database"); #select database $sql = "Select link FROM links"; //pull the users from the table $result= mysql_query($sql) or die(" Could not add style facts"); echo "<table align=center border=1>"; // display the users in table $c = 0; while($row = mysql_fetch_array($result)) { //update line below $user2 = htmlspecialchars($row['link'], ENT_QUOTES); if($c%5 == 0) echo "<tr height=\"200px\">"; // If the counter has ticked 6 times, start a new row. echo "<td><FORM action='addlinks.php' method='post'><p><input type=HIDDEN name='user' value='$mysite_username'></p><p align=center><input type=hidden name='user2' value='$user2'></p><p align=center>rating script here</p><p align=center><input type=submit></p></form>"; if($c%5 == 4) echo "</tr>"; // If we're drawing the 6th pic, end this row. $c++; } if($c%5 != 4) echo "</tr>"; // If there isn't a number of pics divisible by 6, end the row echo "</table>"; // end the table ?> 3am here in the UK, i got to be up in 4hours... night all.

add link should look like this <?php // connect to the mysql server $link = mysql_connect($server, $db_user, $db_pass) or die ("Could not connect to mysql because ".mysql_error()); // select the database mysql_select_db($database) or die ("Could not select database because ".mysql_error()); // insert the data $user = mysql_real_escape_string($_POST['user']); $user2 = htmlspecialchars($_POST['user2'], ENT_QUOTES); $insert = mysql_query("insert into memberlinks values ('$user', '$user2')") or die("Could not insert data because ".mysql_error()); // print a success message echo "Your link has been added!<br>"; echo "Now you can <a href=change_password.php>add another link</a>"; ?>

maybe they are short of php programmers!! who know.. Just Kidding Guys & Girls adding a mod can be a pain plus the site is offline for a little while and i maybe wrong!

what do you have so far ? <?php $cat = "cars"; $SQL= "SELECT * FROM `table` WHERE Cat = '$cat' order by RAND() limit 1;"; ?> theirs better random routines for mysql this one was just a quicky

please post the code i'll review it

Its a mod to the standard SMF (this fourm) i believe the forum had an upgrade or something and the admins haven't added it back in (but i am not 100% sure)

i would use <?php $user2 = htmlspecialchars($_POST['user2'], ENT_QUOTES); //now refer to $user2 instead of $_POST['user2'] in the remaining code ?>

okay / = root /images/banners/madtechie_banner.jpg /image.php your use this $dir = dirname(__FILE__)."/images/banners/"; / = root /images/banners/madtechie_banner.jpg /class/image.php your use this $dir = dirname(__FILE__)."/../images/banners/"; try printing the $dir and check its pointing to the correct place ahh i just typed this... Ok the solved button has been removed but i'll take your last post as a solved

<?php mysql_real_escape_string(nl2br(addslashes($_POST['html_code']))); ?> or <?php htmlspecialchars($_POST['html_code'], ENT_QUOTES); //on output i use nl2br ?>

it can secure a whole project but its a nightmare to debug.. of course!

check your code also it depends on here the file (its running from) is located.. compared to the images folder

can't make it impossible but can make it harder.. you could try Zend Guard, even if you just used it on a single (the main) class file

i would assume <?php $avar = '<a href="http://rover.ebay.com/rover/1/710-5232-2978-8/1?aid=5834748&pid=2804964" target="_blank" onmouseover="window.status=\'http://www.ebay.co.uk\';return true;" onmouseout="window.status=' ';return true;">'; $avar .= '<img src="http://www.tqlkg.com/image-2804964-5834748" width="120" height="30" alt="Click here to buy & sell on eBay!" border="0"/></a>' $SQL = "INSERT INTO `table` SET field = '$avar';"; ?>

$types is an array $type is the filetype as i said the problem is here $dir = "http://www.adworld-online.com/images/banners/"; your using a HTML path not a FILE path use $dir = dirname(__FILE__)."/images/banners/";

erm i think your find that sha1(md5($pass . $salt)) will be less secure than sha1($pass . $salt) since you're feeding in 128-bits of information to generate a 256-bit hash, so 50% of the resulting data is redundant. You have not increased security at all. EDIT: Also rainbow tables can be made for anything if you have the right data.. its not a point of if a rainbow table can be created its if its worth it.. of course a static salt means a rainbow table can give you everyones password on that site but dynamic salts means rainbow tables are more or less useless.. EDIT2: just as a side note everyone and their dog can create "super-secure" functions for hashing and re-hashing passwords but its performance as well, looping 10 times i don't think is a great idea your create more collision.. again less secure.. if you want to make it harder to break try add 2 salts and do something with them, or even 8 char salt, hash that and use the first 16 chars appended or prefixed to the password before hashing it..

user chown

update them to check if they are empty ie if($prioritylevel == "Please Select" || empty($prioritylevel))

your form doesn't have any form elements except a button so $_POST['user2'] won't be passed (i assume you mean $_POST['user2'] and not $_POST['$user2']); also $_POST[$_COOKIE[mysite_username]] should be probably be $_COOKIE['mysite_username'] thats after a quick look..

google phpgrid or datagrid - its one of them!!

basically you need to use LIMIT, i would read up on "pagination" as it has been covered over and over

of course passing a parameter to it would be the same as a get and allowing a vote via click would probably just be a hyperlink

personally i doubt this is part of a bank system theirs too many holes!! but then again just returning a balanace isn't that bad.. well i mean it could be worse

without getting into the long posts about whats been cracked.. if i posted a MD5 with salt can you crack it ? i assume no.. thus sha512 isn't part of PHP AES and BlowFish are TWO way encryption.. not great for passwords as they can be reversed..

insecure as hell.. i have a pinsentry to login to my bank account.. i need my bank card and my pin and then my online account number and password... your requires a email.... you can do it but your need to create a online mail client (without the interface) with a cron to check mail box.. Oh btw whats the name of this bank.. i need some extra cash!

sha1 is faster and more secure..