stoker

What does unserialize return? Check it with === false as that would indicate the way you store or retrieve the data is not valid... The Addslashes seems misplaced if it is meant to make the data valid for an sql query? then you should use mysql_escape_string on the Whole string, not on each line.. Something like $placeholders = array("=", "--", "<b>", "</b>", "<i>", "</i>", "<blockquote>", "</blockquote>", "_", " "); $replacevals = array("", "", "[b]", "[/b]", "[i]", "[/i]", "[blockquote]", "[/blockquote]", "", ""); $ingredients = $_POST['ingredients']; // You need to clean this data $ingr = serialize(explode("\n", htmlentities(str_replace($placeholders, $replacevals, $ingredients)))); mysql_query ("INSERT INTO tablename (columnname) VALUES('".mysql_escape_string($ingr)."');"); mysql_query ("SELECT columnname FROM tablename;"); $row = mysql_fetch_assoc('columnname'); $test = unserialize(html_entity_decode($ingr)); print $test; or perhaps i missunderstood something here.. anyway, for testing do an unserialize right after the serialize to test it..

If cookies are turned off you must keep session ID in the url, or you can simply show some text explaining that cookies are required. This isnt a complete answer, rather a little trick to accomplish page load to page load verification. -Create a session - which the user keeps for the duration of the visit or whatever -For each page load, generate a new random value verification key, store it in the session data and use it in get or post requests to validate that the next page load comes from the same user. The drawback to this is that the browsers backbutton cant be used, as that would request a page which was using an old key.. I have used this method on checkout systems in multiple places, the main thing is that this session must always require a key, so if you are going from a cart to a checkout process, create a new session just for this purpose and always validate the key..

something like this perhaps - I only did it on pic 5 and 6 so you can see the diff.. $default = 'mypic.png'; mysql_query("UPDATE `listtable` SET `mainpic` = '".$_FILES['pic']['name'][0]."', `pic2` = '".$_FILES['pic']['name'][1]."', `pic3` = '".$_FILES['pic']['name'][2]."', `pic4` = '".$_FILES['pic']['name'][3]."', `pic5` = '".( empty($_FILES['pic']['name'][4]) ? $default : $_FILES['pic']['name'][4] )."', `pic6` = '".( empty($_FILES['pic']['name'][5]) ? $default : $_FILES['pic']['name'][5] )."' WHERE `placeid` = '$plid'"); On another note, this is extremely insecure - crafted filenames could inject you sql - you really need to clean input and output!

Using regex should work? $url = $_POST['url']; // do stripslashes and other cleaning here probably if (preg_match('/(www\.example\.com|www\.example\..+|.+\.example\..+)/i',$url)) { // It matched } in regex . means match anything, the + is a quantifier of 1 or more, stuff inside parenthesis separated by pipe is basically "or" (a|b|c).. special chars like . and / needs to be escaped with \, so a \. means literal . regex can be complex stuff but for this task it should be pretty simple..