eXeCuTeR

I wanna make an updating signature for example like here: http://www.draynor.net/statsig.php I wanna make it on runescape hiscores. To get a username through an HTML form and to fill the image with his stats. I know there's a combination and GD. Can you guys help me all along how to make it? I thought of this: Create a socket that connects to runescape.com-hiscores, but then what? I'd if you'd help me with the code too, I tried and I'm in a mess. Thanks.

~ mgallforever, This is exactly what I meant which is not right and inefficient. Daniel0, What do you mean?

How could I possibly secure PHP injections? I could simply do it with regex, but it would be too stupid: $string = htmlspecialchars(mysql_real_escape_string($_GET['phpfreak'])); // Assuming $string is the site.com/index.php?phpfreaks=$string... if (preg_match("/ php_functionName(\(.*)\)/i", $string)) { // Ban the user or else } Including all PHP functions or just 40 dangerous functions will be totally stupid. Any other suggestions how to secure PHP injections?

Hmm, OK, sorry then I'll google it, thanks.

In case I found an XSS, what could I possibly do to the website? Could I edit it or access the DB or something? Please give an example to a string the does the same thing.

NVM, seems like my security system works perfectly.

I'm trying to make it go over all URLs and forms, and in main function it'll protect each URLs and forms that exists on the directory/directories. is that possible? edit: correction: foreach($_REQUEST as $value) main($value); function main($value) { // .... BLA BLA BLA..... } forgot to add $value as a parameter to main.

Hello, If I'll type: foreach($_REQUEST as $value) main($value); function main() { // .... BLA BLA BLA..... } Is that possible to type it and it'll protect all of my pages? the urls and forms?

Thanks guys, you helped me

Oh, the . quantifier matches only 1 character?

You didn't answer my question. Why do they use . and then * together? Thanks for the explanation tho.

What does the .* mean? I know it's 2 tags and not 1 but sometimes people write it and it seems so stupid for me. Why? . means all characters except \n * means 1 or more characters. and sometime they end it like this: .*? Would you please explain me this? Thanks.

May I ask what method did you choose? Mine's or his?

$query = mysql_query("SELECT * FROM `users`") or die(mysql_error()); while( $row = mysql_fetch_array($query)) { $loginName = $row['loginName']; $email = $row['email']; if ("Kelz" == $loginName || "lala@yahoo.com" == $email) /* You can add: md5('hello') == $password || $createDate = "11.12.07" but think about it, if 2 users have registered on the same date and with the same password, you don't want it to block 1 of em because he chose the same password or registered on the same date the other one did. if you still want it to be like this, also add $password = $row['password']; and $createDate = $row['createDate']; */ echo "loginName::Kelz already exists OR email::lala@yahoo.com is already in use."; /* **** OR : **** // (same thing, just look it it) if("Kelz" == $loginName) echo "loginName:: Kelz already exists"; if("lala@yahoo.com == $email) echo "email::lala@yahoo.com is already in use."; else { // Insert values... mysql_query("INSERT INTO `users` (`loginName`, `createDate`, `password`, `email`) VALUES ('Kelz', '11.12.07', md5('hello'), 'lala@yahoo.com'")); // BTW, your query was wrong -> after md5('hello') you typed ' ' and then ' ' again which is wrong - SQL thinks it's another value. // Look at the query I typed, this one works. } } If you seem that the code I typed is really long - it's not, I just typed a lot of comments to explain you things, lol.

Darn, I was just about to ask if you have multiple variables ^^