MadTechie

you're need to change you're queries, So change all the "SELECT * FROM Users" to "SELECT * FROM fgusers6" and "UPDATE Users" to "UPDATE fgusers6"

I just wrote a quick example, and it seams okay, can you provide a bit more detail.. here is my example <?php $waste_name = array(); $waste_id = array(); $waste_name[] = "Αυτή "; $waste_id[] = 1; $waste_name[] = "είναι "; $waste_id[] = 2; $waste_name[] = "μια "; $waste_id[] = 3; $waste_name[] = "δοκιμή"; $waste_id[] = 4; $waste_name[] = "Blar"; $waste_id[] = 5; $final_array = array( "waste_name" => $waste_name, "waste_id" => $waste_id ); $json = json_encode($final_array); ?><html> <head><TITLE>testing</TITLE> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <script> var JSONstring = <?php echo $json;?>; for(i in JSONstring.waste_id){ document.write("<p>"+JSONstring.waste_id[i]+":"+JSONstring.waste_name[i]+"</p>"); } </script> </head> <body> <p>test page</p> </body> </html>

The sessions are just like cookies but on the server instead of the client, holding the user id shouldn't be a issue, they are not encrypted, the only security problem you need to worry about is session hi-jacking, When a session is created, a cookie is create on the clients browser, this links then together, So lets say i login and a session id of 1234 is created, and in turn a cookie is created in my browser (also 1234) Now all is good except lets say someone else logs in an gets a session id of 5678.. but then changes their cookie's value to 1234.. Now they will access your session and the system will think your logged in!.. this is called session hi-jacking.. So how do we protect against this! well the problem is that we only compare 1 value (being the session id) So lets make this harder, now we could also store the clients IP, however this might be a pain for members who IP keep changing. So lets use the the browsers details "HTTP_USER_AGENT" along with a random token and also get the system to change the session id for this user per login check, this is just a quick draft function create_logon($id) { $_SESSION['user_id'] = $id; $token = md5(uniqid(rand(), true)); $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); $_SESSION['login_token'] = $token; //one for server setcookie('login_token', $token); //and one for the client } function check_logon(){ if(isset($_SESSION['HTTP_USER_AGENT']) && isset($_SESSION['login_token']) && isset($_COOKIE['login_token'])) { if ($_SESSION['HTTP_USER_AGENT'] == md5($_SERVER['HTTP_USER_AGENT']) && $_SESSION['login_token'] == $_COOKIE['login_token'] ) { session_regenerate_id(true); //generate new ID and remove the old one return true; } } return false; } So now if the user get the session id, the will also need a cookie with the same token and also need the same browser details!, and of course if the user is active these will change every logon check!.. hope that helps

change $query = mysql_query("SELECT * FROM users WHERE username='$user'"); to $query = mysql_query("SELECT * FROM users WHERE username='$user'") or die(mysql_error()); and see what error you get

Okay I think we can agree that detecting what plug-ins are used isn't going to help.. Also the problem is people are changing values and get extra goodies, So how to deal with it, I have created a simple example shop, to help explain the problem and the solution, the below code is a gun shop for a game, now to keep it simple I have used GET instead of post, <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Gun shop</title> </head> <body> <?php $money = 75; $items = array( 1 => array("Name" => "small gun", "Price" => 10), 2 => array("Name" => "medium gun", "Price" => 50), 3 => array("Name" => "large gun", "Price" => 100) ); //Purchase if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){ echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>"; } foreach($items as $id => $item){ echo $item['Name']; if($item['Price'] <= $money){ echo ' <a href="?do=purchase&id='.$id.'">Buy Now</a>'; }else{ echo ' <a href="javascript:alert(\'Need more money\');">need more funds</a>'; } echo "<br />"; } ?> </body> </html> Now if you click on the small gun "buy now" it tell you you have purchased it, yay, same for the medium gun.. but if you want the large.. no joy.. BUT if you just change the id to 3 on the URL (or in your case changed a value in a form via whatever method) your see you can buy the large gun.. So how do we stop that.. well the display is only to help the user choose, you should never work under the impression that if you don't display something then its secure, as its NOT.. So to plug our exploit, we need to check if they have the money after the get/post same as we checked when we displayed it, So now if you change //Purchase if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){ echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>"; } to //Purchase if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){ if($items[$_GET['id']]['Price'] <= $money){ //Added IF statement echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>"; } } your find you can no longer get the large gun, Hope that helps EDIT: Now just say you your shop will display a random item with the option to buy it, then your need to check that, that item was on offer to that user, so save its ID in a session or a database whatever.. just somewhere the user can't access,

I am going to assume that HostGator are using an old version of PHP that i am, I am also assuming that you have ob_start(); in your script (above what you have posted) with that said, try changing the line ob_clean(); to if (ob_get_length() > 0) @ob_end_clean(); in truth you could use the if or the @ and the above is kinda overkill.. Hope this helps -MadTechie

Would it be possible to attach one of the PDF's, or email me one

Seams quite relevant to me! APD allows you to override built-in functions by replacing them in the symbol table., that should do the trick.. this is just an example rename_function('file_put_contents', 'old_file_put_contents'); override_function('file_put_contents', '$filename,$data', 'return override_file_put_contents($filename,$data);'); function override_file_put_contents($filename,$data){ //logging goes here return file_put_contents($filename,$data); } but would be a pain.. personally i would find it easier looking for all security holes in the code as plugging one doesn't really help as their could be lots of holes.

You would need to use something like cURL, and post the login details, then grab the contents and parse anyway you see fit, SimpleXML, RegEx etc

I have created this (messy) script, i know it looks bad but it may help, I have also emailed you a live link.. for a quick test <?php /** * todo: A LOT */ session_start(); if(!empty($_GET['uploadFrame'])){ ?> <html><head><body style="background-color: red;"> <form name="iform" id="iForm" action="?upload=true" method="post" enctype="multipart/form-data"> <input id="file" type="file" name="upload" onChange="window.parent.upload(this);" /> </form> </body></head></html> <?php exit(); } if(!empty($_GET['upload'])){ //handle file $_SESSION['thefile'] = $_FILES['upload']['name']; move_uploaded_file($_FILES['upload']["tmp_name"], dirname(__FILE__)."/test/" . $_FILES['upload']["name"]); ?> <html><head> <?php if((isset($_SESSION['thefile']))){ $msg = "uploaded ".$_SESSION['thefile']; ?> <script language="javascript"> window.parent.recieved('uploaded: <?php echo $_FILES['upload']["name"];?>'); </script> <body style="background-color: green;">Thank you </body></head></html> <?php unset($_SESSION['thefile']); exit(); } } ?> <html> <script> var par = window.document; var new_iframe = par.createElement('iframe'); function init(){ new_iframe.src = '?uploadFrame=true'; new_iframe.id = 'uploader'; new_iframe.frameBorder = '0'; new_iframe.style.height = '100px'; par.getElementById('iframe_container').appendChild(new_iframe); } function upload(fileObj){ fileObj.form.submit(); //send file par.getElementById('uploader').style.display="none"; //display animation (if desired) (DONT change the iframe) } function recieved(msg){ alert(msg); new_iframe.src = '?uploadFrame=true'; par.getElementById('uploader').style.display="block"; } </script> <body onload="init();" style="background-color: blue;"> <div id="iframe_container"></div> </body> </html>

The first rule meets more conditions that the second rule, thus will away run instead of the second rule, also its flagged as the last rule.. try swapping them ie RewriteRule (.*)-(.*)\.html$ /index.php?page=$1&session=$2 [L] RewriteRule ^([^/]*)\.html$ index.php?page=$1 note the first will be the last if meet, if not then second should run

Wouldn't it be parent.HidePopup() if called from the child ? personally i don't use the full url, just the relative link, so instead of http://www.mydomain.com/path/file.html i would use (even for a iframe) /path/file.html

While i have to agree, it is fun to look back on the code you did write when it was over your head and think Gezzzzzzz i hope no one ever see this!

Better of adding to a config file.. config.php define("MAINTENANCE_MODE",false); start of index.php require_once('config.php'); if(MAINTENANCE_MODE){ header("Location: maintenance.php"); }

Also happens when you totally mess up the .htaccess file (trust me on that.. was my BSOD when i messed up a file)

Is the html outputting as UTF-8 ? ie at the VERY top add header ('Content-type: text/html; charset=utf-8');

Or use the current directory for example if .htaccess is in a folder called php and the folder you wish to include is in php/classes then php_value include_path ./classes should work or even go back a directoy php_value include_path ./../classes either way create a test.php file echo get_include_path(); echo "<br />\n"; echo ini_get('include_path'); and see what you get simple tests to start with also my biggest screw up is the case sensitive, ie calling MyClass.php in Windows works fine.. but fails in linux because the file was called myClass.php hope that helps

Which means putting it in the freelance section, however.. if your willing to learn then maybe this will point you in the right direction change SELECT user_id, count(*) AS freq to SELECT user_id, count(*) AS freq, avatar $_info[0]['user'] = $_info2[0]['username']; $_info[0]['avatar'] = $_info2[0]['avatar']; //Add update with {$_info['freq']} to something like with {$_info['freq']} <img src="{$_info['avatar']}" /> Hope that helps!

it was just an example... it should work fine, however what i was trying to show was how you redirect the output, see the "> /dev/null 2>/dev/null &" thats the only part you need to maintain!

Remember the code php code will now tell the server to start a process to do the convertion and them continue with the script.. now you need to determine when the process has finished, What i would do is, create a page called processing.. this page has a some php code at the top that check the process, or the log or if the converted file exists, and if it has finished then redirects to finished page, otherwise just have a html or JS reloader (every 10 seconds or so) or have a ajax routine to check the process..

Change the loop to this, as it makes more sense, also the title should really be the key as well! foreach($emote as $key => $value) { echo "<img src='emos/{$value}' title='$key' onclick='share.story.value=share.story.value + \"$key\"' />"; } as for what image are being displayed after the post.. thats in some unposted script

What do you mean "messy" ?

Page 1, Submittion (simple form) page posts to page 2 Page 2, this page will A. check if a file was posted and save it to the correct path, and create a session with file details B. if no file was posted it check it has a session, Now this page can just continue to refresh until the task is complete, (your need to check the ffmpeg log on page load) To convert without waiting you're need to do something like this shell_exec('ffmpeg -i source_video.avi input -acodec aac -ab 128kb -vcodec mpeg4 -b 1200kb -mbd 2 -flags +4mv+trell -aic 2 -cmp 2 -subcmp 2 -s 320x180 -title X final_video.mp4 > /dev/null 2>/dev/null &'); or use pcntl_exec C. if no file was posted and session exists redirect to home,

IE7 & 8, give progressive jpegs the type "image/pjpeg" instead of "image/jpeg" So try if($imageData === FALSE || !($imageData[2] == IMAGETYPE_JPEG || !($imageData[2] == 'image/pjpeg'))

The brackets will cause some issules, try this instead echo "<img src='emos/{$value}' title='$value' onclick='share.story.value=share.story.value + \"$temp\"' />";