MadTechie

On the login button

well setting the $port to something would probably be an idea! also http://www.frihost.com/api/send_sms.php doesn't seam to exist!

LOL.. nice catch, but better still mysql_query($sql) or die(mysql_error());

change mysql_query($insert_query); to mysql_query($insert_query) or die(mysql_error()); and post errors

I would go with $html = preg_replace('%^.*?</script>%si', '', $html);

that's not what you asked and from the first question you haven't given any details i can work with!

try this <?php $html = '<script LANGUAGE="JavaScript"><!-- document.write(unescape("%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%"));//--></SCRIPT>'; if (preg_match('/unescape\((["\'])([\da-f%]*?)\1\)/i', $html, $regs)) { echo urldecode($regs[2]); } ?>

It takes more to spoof mime then change an extension, and what about the poor Macintosh users ? IMHO: mime is better than extensions but I normally opt for 1 check mime, if that fails check extension, then I add *some code to verify it is what it is, and then put the renamed files in a safe zone should kill of most attacks *this can take up a lot of resource, but can probably be skipped if the other measures are followed

add a normal php file to that folder to test it (keep the .php on), <?php phpinfo(); ?>

create .htaccess on the root, and put <Directory "public_html/site.com/uploadfolder"> php_admin_flag engine off </Directory> in it, replacing uploadfolder with the upload folder As a note Just ran some test's on folder permission set to 750 LAMP - CENTOS 5.3 / PHP 5.2.8 /Apache-2.0.63 - exploit failed WAMP - (wampserver) (WinXP / Apache-2.2.8 / PHP 5.2.6) (permission don't apply) - exploited (no surprise here) WAMP - (WinXP / Apache-2.2.11 / PHP Version 5.2.9) exploit failed I don't have IIS so can't test that

see the Date() function

Personally I believe anything that gets uploaded be handled with care!, so outside the public is the best option but if that's not possible then just turn the PHP Engine off if your upload folder. IE <Directory "/var/www/html/uploads"> php_admin_flag engine off </Directory> always rename the file when possible and re-create the image if possible, (this in-fact reduces it's size thus for a small amount of one off resource, you save bandwidth and space) The fact is this exploit has been out for years, but people still don't take care,

Surely your HTML goes form the database into a variable before you echo it..! however a cheat would be to use ob_get_contents()

try this <?php session_start(); require_once('configuration.php'); $user=$_SESSION['user']; $id=(int)$_GET['id']; $query="DELETE FROM table WHERE user='$user' AND id='$id'"; $sqlquery=mysql_query($query); header("Location: page2.php"); have NOTHING before the <?php (including a space or return) also update table to the table name EDIT: oops missed a ?>

okay.. first off, I wouldn't post to page2.php i would post to page1.php and have an if statement to capture the request.. ie <?php if(!empty($_POST['DELETE'])) { $ID = (int) $_POST['DELETE']; //DELETE FROM table where ID= $ID } ?> //form here but could you post your page2.php

Yes it don't come with great documentation, as as this is third party i'm going to move it their as for all emails you need email account with 1. email address 2. host 3. username 4. password

another option $string = 'Hello world'; $X = $string[0]; echo $X;//return H however i use substr() myself $string = 'Hello world'; $X = substr($string,0,1); echo $X;//return H EDIT: updated to set $X as the first letter (in case it helps)

No you can't.. .. if you could that would be hell for the users.. IMHO headers is a better option, do you have some code you are attempting to get working with headers ?

Many ways.. I normally use some JavaScript to detect if its on. its an option in all browsers.

What's the code that converts "www.userslink.com" to "http://www.mysite.com/www.userslink.com" ? or even converts "www.userslink.com" to a link

that will be fine, for people who have javascript enabled! but everyone else will have problems quick problem example's header("Location: login.php"); //will redirect echo "Hello"; //won't display echo "Hello"; //will display header("Location: login.php"); //will fail echo "Hello"; //will display Hello <?php header("Location: login.php"); //will fail echo "Hello"; //will display ?> as you can see ANY output will cause the header to fail.. if you post your code (in code tags) I'm sure someone give you a better option

have you added the .php types ? AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps in the httpd.conf file ? and are you using <?php instead of just <? in your code ? EDIT: extra info Open the Apache configuration file in C:\Program Files\Apache Group\Apache2\conf\httpd.conf and check you have or add the following lines LoadModule php4_module php/sapi/php4apache2.dll AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps then restart apache if your code had <? instead of <?php then you need to update your code but for a quick fix, just edit the php.ini file and turn on short_open_tag EDIT #2: You have short tags on (so I don't think its a php.ini issue)

Echo or use *nix Just a quick question, what if you added $img1 = str_ireplace('.php', '', $img1);

I am using an Offset! When you pass LIMIT two arguments the first argument specifies the offset of the first row to return, and the second specifies the maximum number of rows to return, using LIMIT row_count OFFSET offset is purely for compatibility with PostgreSQL.

Also with multiple file_exists("upload/".$filename1) it would be better to have 1 file_exists("upload/".$filename1) as its own if statement if the other if's inside that block, update all the $HTTP_POST_FILES to $_FILES ($HTTP_POST_FILES is deprecated) use arrays (see mikesta707 post) for extensions and mimes simple code always works better, and is easier to read