xylex

http://us2.php.net/manual/en/domdocument.getelementsbytagname.php http://us2.php.net/manual/en/class.domnode.php#domnode.props.attributes

PHP already has a number of XML libraries that do all the functionality that it looks like simplehtmldom is trying to replicate, which is probably why that project seems abandoned (last commit was 2008). http://us2.php.net/manual/en/refs.xml.php Not sure what you're trying to do, but DOM and SimpleXML come to mind as good ones to look at.

Just throwing it out there, but maybe using one of the half dozen built-in DOM libraries in PHP instead of one thrown together with a bunch of regular expressions and recursive calls would improve performance?

Are you using the legacy mssql library or new SQLSRV one from Microsoft? sqlsrv_connect() takes the characterset as an option - http://msdn.microsoft.com/en-us/library/ff628167(v=SQL.90).aspx

I have yet to find a script that sends out e-mail plaintext but takes the time to implement two-way encryption in the database, so you can probably assume that they're saved plaintext. It's usually safe to say that when you find one huge security hole (sending plaintext passwords over totally insecure protocols would fall under this category), there's a lot more best practices that are being ignored.

That script buisnessman pointed you to makes it really, really easy to spoof IP addresses since it looks at *FORWARDED_FOR headers, which are just sent by the client and you can set these really easily using Modify Headers or similar browser plugins. At least using the REMOTE_ADDR makes a person have to work a bit to spoof it even though you might have more duplicates.

What geek factor? "Hey beautiful, I have 12 million pixels of screen space back at my place. Want to come see it?" works almost every time.

That's one impressive box. You ever come close to maxing out all 6 cores other than benchmarking?

So, my new system from work puts me up to six monitors, normally across 3 systems running Fedora, XP, and Win 7, but I also have a Mac system and a Vista system I can bring into the mix for a total of 14 cores and 26 GB of RAM. I'm told that it's overkill, but I'm sure that some of you guys have comparable or sweeter setups. So let's hear about/see them. [attachment deleted by admin]

Programming is what you make of it, and in your case, maybe you'd find it more challenging if you'd set the bar a bit higher for yourself. Not trying to jump down your throat here, but you have said in previous posts that your current system is all procedural, you're happy with good enough code if your client/employer is happy with what it does, you don't make a huge effort stay on top of new best practices and integrate them into your projects, and you're saying now that you regularly cut and paste code. Coding is all about innovation, and with no innovation going on, of course you'll get bored quick. When I'm slow at work, I'm doing stuff like looking for ways to optimize the system, learning the latest hack and how to defend it, looking at old code and trying to think of better ways I could have written it. As a result of these types of things, I do things like take the average load time of the pages of our website from 400ms down to 100ms; my team and my employer are pretty confident that if we ever do get a security breach, it'll be on the ops side of things and not the application, and we have a very clean easy to follow codebase. Which in turn means that routine work goes very quickly and I can spend more time on the projects I choose. And most importantly, this makes love what I do and take whole lot of pride in it.

Dryer sheet wipedown to the boards, and Febreeze'd the heat sinks & PSU and let dry. Thanks guys.

Work just sent me a computer that reeks of cigarette smoke. I've wiped down everything that was safe to and blew out the rest, but it's still making my office smell. Anyone ever have any luck getting rid of the smell? Google's got lots of suggestions to try various methods, but not much about people saying any of that actually works.

Old one, but still supported through Windows 7, Visual Basic 6.0 is how I learned to do my first desktop programs. It's pretty straightforward when what you want is to popup a window with a click this button->run this script interface.

I was just quoting the snippet of the code that has the injection vulnerability, I didn't change anything other than taking out the code not relevant to what I was talking about. $key is the $_POST key from the client, and the code only checks that it starts with 'Q' before using it totally unescaped in the database.

You also have that sql injection vulnerability in there you should probably take care of. while (list($key,$val) = each($_REQUEST)) { if (preg_match("/^Q/",$key)) { $sql = "INSERT INTO ANSWER (Q_ID,TEXT,R_NUMBER) VALUES"; $sql .= "('" . $key . "[]','" . addslashes($_REQUEST[$key][$i]) . "','" . $requestNumber . "')"; } } Need to do more validation than making sure $key starts with a Q.

Use preg_replace() or preg_replace_callback() instead of preg_match() ?

Are you thinking include() inside a class works for multiple inheritance? Wrong language........

I have no idea what you mean by a server diode, but do some research on XDebug or Zend Debugger, both can do what you need.

For optimizing the script for server performance, I usually start with profiling the script with XDebug or Zend and dropping that into KCachegrind (Callgrind on Windows). I have a blog post that goes into a bit more detail in the link in my sig. Rasmus Lerdorf also does a ton of talks about PHP performance, and you can get the slides for them at http://talks.php.net/index.php/PHP

Just realized I'm missing a step at the end of the first snippet - $Foo = new B(); $Foo->test();

Going a little off topic here, but you did say you wanted in depth. In addition to Nightslyr's explanation, PHP has some language specific conventions about how visibility works. DISCLAIMER - These are just things that PHP does, I certainly am not condoning them as a good programming practice to do any of the following. Protected members are also accessible to the parent class as well. So a parent method can reference a protected member that won't be defined until the child class. class A { public function test() { $this->echoOne(); } } class B extends A { protected function echoOne() { echo '1'; } } //echoes 1 Child methods can directly access protected members of an instantiated class. Continuing from above class C extends B { public function actOnFoo() { global $Foo; $Foo->echoOne(); } } $Bar = new C(); $Bar->actOnFoo(); //echoes 1 And then there's the fun one, that another instance of the same class can directly access private members of an instantiated class. This one actually can be useful if you ever need to get information about a object's private properties when you don't have access to the code, and conversely means that you shouldn't architect anything depending on visibility keywords for security. class D { private $n; public function __construct() { $this->n = 3; } public function actOnD1($newN) { global $D1; $D1->n = $newN; } public function echoN() { echo $this->n; } } $D1 = new D(); $D2 = new D(); $D2->actOnD1(5); $D1->echoN(); //echoes 5

Please do not do this, you would be building in a session fixation vulnerability in to your app. http://www.php.net/manual/en/session.security.php - link at top. Sessions are stored on the server, so you're not passing the session variable around, just the session cookie. Just make sure you're not setting the cookie as secure only, as well as the corresponsding session.cookie_secure ini setting, and you should be good. Firecookie can tell you if it's not matching for whatever reason.

run-parts is for running files in a directory, not for a specific file. And do you need to run it as root? If not - 01 * * * * php /daemons/hourly.php

For just running a simple test to a url, Siege works well for me: http://www.joedog.org/index/siege-home

Sounds like you're way below the minimum PCI standards that are required to be storing credit card numbers, like being strong encrypted, stored on a separate server, firewalled from your public server, lockbox storage of your decryption key etc. The PCI standards that were written by people who are far more accomplished than you, and the standards that you'd know about and the reasons they were there if you "wasted your time" learning about security theory and best practices and took the time to implement them. As numerous people have pointed out, security isn't the only thing that goes into what make good software, but if that's what you're so focused on, it sounds like you don't even have the right intrusion detection pieces in place to know even if you're being hacked right now. Knowing and understand practices like this is why taking the time to learn the fundamentals and best practices and almost always following them is what separates the average and below average programmers from the really good ones. Which is why all these well respected forum members are encourage someone like the OP, who's asking how to learn to PHP, to take baby steps through the basics to build a strong base is the best approach. It's also why they are so discouraging of your approach of constantly diving in over your head and hacking away, an approach that will never make you better than mediocre.