premiso

I like to setup Leghold traps, the non-padded kind. Give their leg a "jolt"!

Nope it is secure enough.

$query=sanitize(strtolower($_POST['query'])); // selecting the column you need will tend to yield more efficient queries. $sql = "select `count` from ".$prefix."searches where search_term = '$query'"; $result = mysql_query($sql ,$db) or trigger_error("MySQL Select Failed: " . mysql_error()); if (mysql_num_rows($result) > 0) { $sql = "update ".$prefix."searches set `count` = `count`+1 where search_term = '$query'" or die(mysql_error()); $result=mysql_query($sql, $db) or trigger_error("MySQL Update Failed: " . mysql_error()); else { $sql = "insert into ".$prefix."searches (search_term, `count`) values ('$query', 1)"; $result=mysql_query($sql, $db) or trigger_error("MySQL Insert Failed: " . mysql_error()); } Try that, you do not need to pull the data out of the database and add it with php, mysql is perfectly capable of doing such mundane tasks. As I am not sure if "count" is a reserved word in MySQL (I know it is a function) I encased it in backticks so it will definitely be passed / treated as a column. See if that fixes your issue.

The error you just showed is a Javascript error, and in your original post you did not show any javascript that I can tell. Since this is Joomla you are using, you may do better to post the entire issue, with that JS error on their forums, as they are tailored to that software. As for us solving that error, it is very unlikely unless someone install's the exact joomla version you are using and tries. As for me, I do not feel like diving into Joomla to try and find the issue, sorry.

Use ISSET on the if ($_COOKIE) like shown for the GET variables. isset tests if the variables isset, doing this will not throw the undefined index notice. So yea, take the logic that was given to you and apply it to the rest of the script on COOKIES / GET / POST variables that are coming in which may or may not exist.

@Op, your code looks fine, and is probably as secure as you can make it. As long as mysql_prep escapes the string data, I think you are safe. You are not secured from all attacks, such as session hi-jacking, which is a huge issue mainly on Shared Servers. But if you are not on a shared server, that should be secure. The main issue is going to come from, not the validation, but the rest of your code. As long as you validate that the user is allowed and on your main pages that people can view are not doing elementary mistakes, such as including a url in include, or passing unknown data into an include call, you should be fine. Just make sure that you validate any data coming in from forms / get. If you do not do that, your site can more or less easily be exploited.

The nl2br is going to add line breaks whereever there is a \n. To remove this, simply take out the nl2br out of this line: $this->location =nl2br($this->event->location()); If you do that, just remember to always do html for the location, cause just doing plain text with line breaks will put it all on one line and break it out.

No. PHP is server side, so that query is ran well before the javascript interacts with the client. To do that you would have to have a file.php that the onClick calls or setup AJAX to handle it. Either or should work. The non-ajax method would require a "pop-up" window which you can make auto-closes or a page refresh. The AJAX version would not require either. But this is not do-able with how you are trying to, since PHP is executed Server (before the client sees the page) and JS is executed on the client side (After the php code runs).

Are you meaning to echo it, or do you want to re-assign the escaped data to the array? If the latter this is why: foreach($variable as $a => $b) { $variable[$a] = addslashes($b); } Will assign the addslashes version of $b and print it out properly.

Help! I need somebody, Help! Not just anybody, HELLPPPPP!

PHP6? I was under the impression that they canned that project At least the code anyways.

It may be that you are not escaping the slashes. $status=exec ("c:\\xampp\\htdocs\\i_view32.exe /slideshow=xxx.txt"); Give that a try and see if it yields some results. Just a note, this will only work on your server, if the server is on your local machine and that is what you want, it should work properly.

Really? private function getItems() { $itemsTable = "entries"; $this->dbConnect($itemsTable); $query = "SELECT title, DATE_FORMAT(`timestamp`, '%Y-%d-%m %h:%i:%s') as timestamp FROM ". $itemsTable; Not really anything to do with PHP, more to do with sense. You replace the only query that uses $itemsTable with that one...

Yep, Either pull it out of MySQL using it's built in DATE_FORMAT function or use PHP's date function. Personally, I would pull it out using MySQL's DATE_FORMAT. $query = "SELECT title, DATE_FORMAT(`timestamp`, '%Y-%d-%m %h:%i:%s') as timestamp FROM ". $itemsTable; Should get you what you want.

Why not do the time check inside the sql? $query = "SELECT sender FROM messages WHERE `time` < DATE_ADD(`time`, INTERVAL 2 MINUTE) AND (reciever='$un' AND sender='$username') ORDER BY `time` DESC LIMIT 1"; Then if a row is returned by the query, they are considered flooding. This is untested. For more information on DATE_ADD see the MySQL Reference Manual.

if (strstr($email, '@yahoo.com')) { echo "Yep, @yahoo.com email."; } strstr you may also want to take notice of all the string functions at the manual.

All they have to do is try and stop being dumb and clicking on random shit that pops up? But the same can be said for XP, they can easily disable network drivers through My Network places etc, what is the difference? If they just go and randomly click on stuff that they do not know what it does, well they deserve to be without Internet etc. If anyone calls me for stupid stuff like that (Family members) I tend to make them wait a few days before I tell them the answer to teach them NOT to click on random stuff. If they were being intuitive and trying to learn about computers, I do not help them and make them help themselves, as that is the only real way to learn, is trying and fixing it yourself. As far as XP to 7, Win 7 is actually pretty nice, I like it much better then XP. It may be a little slower at times, given that you need a bit more processing power / ram, but it runs pretty smooth for the most part. As for me, I will stick to by *Ubuntu OS, it treats me with kindness and no expenses.

Create your own topic about it. No need to bump dead topics when you can create your own. As such I won't reply here. (other then informing you of such).

Why are you extracting $_REQUEST? Why not just access them via the way you expect them to come in from? IE: <?php if (isset($_FILES["file"] && !empty($_FILES["file"]["name"]) { $filename = $_FILES["file"]["name"]; copy ("$file", "documents/$file_name") or die("Could not copy file"); } // Why do a meta refresh? // print "<META HTTP-EQUIV=\"Refresh\" content=\"0;URL=admin_cpanel.php\">"; // header works pretty well: header("Location: admin_cpanel.php"); ?> Should work like you want it to. Not sure where file_name is even coming from to be honest, seems like we may be missing a piece of the puzzle, but that should work.

Putting it into the file seems to be the wise choice. If, however, you plan on just displaying that file highlighted, you should be able to rename it to .phps (you may have to modify the apache httpd.conf and add the type) and it should show the source highlighted just fine.

Once I am logged in, I can easily spoof the the js page and send fake data to your script. It is not really hard for me to create a page that all it does is post to that script using certain means. There are methods to be put in place that can prevent this, but if they are not it is pretty easy to spoof data. That would work, if your js page is created by php and you use proper syntax: param += '&name=<?php echo $user->username; ?>'; Would be more of what you need to put in there, but like I said you have to have that object defined / instantiated previously on that js page in the code behind and it has to be parsed as php even though it is serving out javascript code.

You are concatenating if's and foreaches into your code which is not proper syntax...in any language that I know. I would read up on proper syntax usage. In the mean time this is how it should look: (at least one way) <?php session_start(); include('../resources/config.php'); include($config["paths"]["resources"] . 'opendb.php'); include($config["paths"]["resources"] . '_library/login.php'); include($config["paths"]["resources"] . '_library/cart.php'); $content = '<h2>Checkout</h2>'; if(isset($_SESSION['cart'])) { $content .= ' <form action="index.php?view=update_cart" method="post"> <table id="items"> <thead> <tr> <th>Item</th> <th>Item Price</th> <th>Qty</th> <th>Subtotal</th> </tr> </thead> <tbody>'; foreach($_SESSION['cart'] as $id => $qty){ // keep sytnax similar, use one or the other (the foreach () : endforeach / if : endif; or { } $product = find_product($id); $content .= ' <tr> <td>'. $product['title'] .'</td> <td>$'. number_format($product['price'],2) .'</td> <td><input type="text" size="2" name="'. $id .'" maxlength="2" value="'. $qty .'" /></td> <td>$'. number_format($product['price'] * $qty, 2) .'</td> </tr>'; } $content .= ' </tbody> </table> <p><input type="submit" name="update" value="update" /></p> </form>'; echo $content; }else { echo '<p>your cart is empty... <a href="index.php">continue shopping</a></p>'; } include($config["paths"]["resources"] . 'closedb.php'); ?> It seems like you were combining different syntax which I bet you picked up from some templates. Like I said, read up on proper syntax, look what I fixed and why it was that way. Note that I changed the foreach () : to foreach () { since you are using if () { you should keep it similar so either change the if to use the endif; format like the endforeach;. It is better not to mix and match them as it causes confusion for some people.

On the javascript page, if it is .php, you just need to access that object and populate it. But doing this is unwise, due to anyone could easily spoof someone elses name. Instead why grab the name on the php side then pass it to the ajax call to use, this way you control what name is displayed and what name is used.

Not sure if this helps, but you can use HEREDOC syntax: <?php $string = <<<CODE <?php echo "Test'"; ?> CODE; highlight_string($string); ?> Which should alleviate worrying about quotes etc.

mmmm array_search Sometimes reading the manual can help. Edit: But if the value is just the index, there is not even a need to do this would suffice: if (isset($second_array[$key])) { $second_value = $second_array[$key]; } Simple as that.