MadTechie

you're need to change you're queries, So change all the "SELECT * FROM Users" to "SELECT * FROM fgusers6" and "UPDATE Users" to "UPDATE fgusers6"

I just wrote a quick example, and it seams okay, can you provide a bit more detail.. here is my example <?php $waste_name = array(); $waste_id = array(); $waste_name[] = "Αυτή "; $waste_id[] = 1; $waste_name[] = "είναι "; $waste_id[] = 2; $waste_name[] = "μια "; $waste_id[] = 3; $waste_name[] = "δοκιμή"; $waste_id[] = 4; $waste_name[] = "Blar"; $waste_id[] = 5; $final_array = array( "waste_name" => $waste_name, "waste_id" => $waste_id ); $json = json_encode($final_array); ?><html> <head><TITLE>testing</TITLE> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <script> var JSONstring = <?php echo $json;?>; for(i in JSONstring.waste_id){ document.write("<p>"+JSONstring.waste_id[i]+":"+JSONstring.waste_name[i]+"</p>"); } </script> </head> <body> <p>test page</p> </body> </html>

The sessions are just like cookies but on the server instead of the client, holding the user id shouldn't be a issue, they are not encrypted, the only security problem you need to worry about is session hi-jacking, When a session is created, a cookie is create on the clients browser, this links then together, So lets say i login and a session id of 1234 is created, and in turn a cookie is created in my browser (also 1234) Now all is good except lets say someone else logs in an gets a session id of 5678.. but then changes their cookie's value to 1234.. Now they will access your session and the system will think your logged in!.. this is called session hi-jacking.. So how do we protect against this! well the problem is that we only compare 1 value (being the session id) So lets make this harder, now we could also store the clients IP, however this might be a pain for members who IP keep changing. So lets use the the browsers details "HTTP_USER_AGENT" along with a random token and also get the system to change the session id for this user per login check, this is just a quick draft function create_logon($id) { $_SESSION['user_id'] = $id; $token = md5(uniqid(rand(), true)); $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); $_SESSION['login_token'] = $token; //one for server setcookie('login_token', $token); //and one for the client } function check_logon(){ if(isset($_SESSION['HTTP_USER_AGENT']) && isset($_SESSION['login_token']) && isset($_COOKIE['login_token'])) { if ($_SESSION['HTTP_USER_AGENT'] == md5($_SERVER['HTTP_USER_AGENT']) && $_SESSION['login_token'] == $_COOKIE['login_token'] ) { session_regenerate_id(true); //generate new ID and remove the old one return true; } } return false; } So now if the user get the session id, the will also need a cookie with the same token and also need the same browser details!, and of course if the user is active these will change every logon check!.. hope that helps

change $query = mysql_query("SELECT * FROM users WHERE username='$user'"); to $query = mysql_query("SELECT * FROM users WHERE username='$user'") or die(mysql_error()); and see what error you get

Okay I think we can agree that detecting what plug-ins are used isn't going to help.. Also the problem is people are changing values and get extra goodies, So how to deal with it, I have created a simple example shop, to help explain the problem and the solution, the below code is a gun shop for a game, now to keep it simple I have used GET instead of post, <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Gun shop</title> </head> <body> <?php $money = 75; $items = array( 1 => array("Name" => "small gun", "Price" => 10), 2 => array("Name" => "medium gun", "Price" => 50), 3 => array("Name" => "large gun", "Price" => 100) ); //Purchase if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){ echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>"; } foreach($items as $id => $item){ echo $item['Name']; if($item['Price'] <= $money){ echo ' <a href="?do=purchase&id='.$id.'">Buy Now</a>'; }else{ echo ' <a href="javascript:alert(\'Need more money\');">need more funds</a>'; } echo "<br />"; } ?> </body> </html> Now if you click on the small gun "buy now" it tell you you have purchased it, yay, same for the medium gun.. but if you want the large.. no joy.. BUT if you just change the id to 3 on the URL (or in your case changed a value in a form via whatever method) your see you can buy the large gun.. So how do we stop that.. well the display is only to help the user choose, you should never work under the impression that if you don't display something then its secure, as its NOT.. So to plug our exploit, we need to check if they have the money after the get/post same as we checked when we displayed it, So now if you change //Purchase if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){ echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>"; } to //Purchase if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){ if($items[$_GET['id']]['Price'] <= $money){ //Added IF statement echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>"; } } your find you can no longer get the large gun, Hope that helps EDIT: Now just say you your shop will display a random item with the option to buy it, then your need to check that, that item was on offer to that user, so save its ID in a session or a database whatever.. just somewhere the user can't access,

I am going to assume that HostGator are using an old version of PHP that i am, I am also assuming that you have ob_start(); in your script (above what you have posted) with that said, try changing the line ob_clean(); to if (ob_get_length() > 0) @ob_end_clean(); in truth you could use the if or the @ and the above is kinda overkill.. Hope this helps -MadTechie

Would it be possible to attach one of the PDF's, or email me one

11 times now (FileZilla)

What.. OMG.. something works on Vista.. better call M$ and get them to fix that bug..!

I use FileZilla;) but havn't used it much so i can't really say the pro's con's

So the statement was based on your personal preference!! becuase you as for my personal preference when i first used CuteFTP seamed very basic and while easy to use missed most advanced options.. but now days its more down the way you work.. as most FTP programs can all do the same functions