schilly

semicolon on while loop while ($chemprop_row=mysql_fetch_assoc($result3));

Off the top of my head I would say there is a random space somewhere, possibly before the php tag.

is it possible it is not getting into the if statement? if ($plantrow[0] == $_POST["inputplant"])

ah way better. don't know all the array cmds.

nested while loops while(cycle yearstokeep){ while(cycle yearstoremove){ if(yearstokeep[i] == yearstoremote[j]) delete yearstokeep[i] } }

Looks like a permissions problem. Probably want to check the joomla forums if it's related to joomla files.

(time() - earliertime) / 60. might need to round it as well.

did you try the file their using?

Have you tested stringGen()? Can't tell off hand if its right or not. I just grabbed this code quick off a tutorial. It might work easier. //Let's generate a totally random string using md5 $md5_hash = md5(rand(0,999)); //We don't need a 32 character long string so we trim it down to 5 $security_code = substr($md5_hash, 15, 5);

Looks pretty straight forward if you have all your item/qty/price arrays ready: http://ca3.php.net/array_sum

print_r($_POST) and see what it says. Is the field defined correctly? Could try using isset($_FILES['file']) instead?

Awesome thanks. I didn't really think about being able to bypass the header cmd. I'm guessing this is the problem. I will update tonight and see how it goes.

Ok so essentially custom requests to web servers can essentially bypass the header cmd and view any code after that?

Sry bump. Anyone know about this?

select the row you want which is null do a select on the db where the id = pizza and checked <> null check to see if you have a row, if you do cycle through all null records where id = pizza and change the value to the value in your row from the query else do nothing This is assuming all pizza entries that are not null are one constant value(All 1's or all 0's). Hope that makes sense.

Something like that?

There is no code after the redirect, it just loads up the form page. So if they aren't using a browser or have some modded browser that doesn't recognize the header cmd then it will just send them my form and they can post to it? Will exit; stop the html afterwards from loading? Thx.

Interesting article. I will start using session_regenerate_id(); when I set my session variables and see if that makes a difference.

Thanks for the feedback. I recently changed to '!=='. Before I was using strcmp. Reading up on session fixation now.

Hi Everyone, Hoping you can help. I've been using session authentication for a while on a few small sites without any problems up until now. I have recently been getting some html injections into a form that only members can view thought session authentication. I set up a log on the login page and compromised form to see if they were gaining access through the login form then injecting into the other form but the entries didn't match up so I assume they are bypassing my authentication script for that form. Here is my authentication script which is called at the start of every member only page: function memberAuth(){ session_start(); if($_SESSION['MEMBER'] !== "YES"){ session_destroy(); header("Location: memberLogin.php"); } } Is there any easy way to bypass this? I've used this for a while and never ran into any problems before. If you need any additional info, please let me know. Thx.