discomatt

If $do >= 1, the elseif and the else won't ever get executed.

Simply set the permissions on the folder to PHP has access to it, and use absolute paths when copy()ing or move_uploaded_file()ing.

I would store the numbers in a database/file outside of webroot... The most basic way to do this would be to store the number beside a timestamp... incrementing by 30 seconds. Use a meta refresh to force the user to refresh the page every 30 seconds, then poll the database for any numbers where the timestamp is later than NOW(). Display results. You could use ajax along with this to save a bit of bandwidth, or to get around people who've disabled meta refresh.

Is your PHP page encoded in UTF-8? Have you declared it in the meta? Try doing this immediately after mysql_connect() mysql_query( "SET NAMES 'utf8';" ); This might also help http://www.shawnolson.net/a/946/unicode-data-with-php-5-and-mysql-41.html

Upon closer inspection of getmypid(), I feel stupid

If you want to keep the numbers away from the user's eyes during execution, or to have the 'exposure' time identical among multiple clients, javascript is not the ideal solution.

And if both servers have the same PID for php?

A regex like this will work '/<a(?:.(?!style="))*?>/s' But keep in mind, you're using lookaround along with a lazy quantifier... this won't be the most efficient expression in the world.

Microtime doesn't make any attempts to be unique, it simply returns the current time at a microsecond level.

Entropy, to put it simply Random prefix is just that... a random string that's prefixed in front of the ID... $uid = uniqid( md5(mt_rand()), TRUE ); Though slightly slower, the chances of a collision are extremely unlikely... even if you have several executions in a millisecond.

For the record, using quotes around an INT value is perfectly acceptable in MySQL... it's actually recommended from a security standpoint, as it can help prevent injection that gets around mysql_real_escape_string()

uniqid() is also based on the date/time to the microsecond, but can add entropy and pseudo-random prefixing. I'd suggest using that, or MySQL's UUID() function over md5( microtime() )

PHP's uniqid() or MySQL's UUID() might help with this as well.

You're describing EXACTLY what sessions do If you create that functionality, and follow the format, you can use PHP's session engine to populate everything for you! First, check out how sessions work. Check this out http://www.tizag.com/phpT/phpsessions.php Once you get comfortable with using them, you can start on your own handler, that uses a database to store the information I'm working on a sample class for you that implements variable session expiry time. It'll seem overwhelming at first, jsut go through it line by line and explain what you don't understand.

The manual provides several in-code examples. I'm not here to code for you

No, you're going to use session regeneration for both. The only difference is one will expire when the browser closes, the other will expire in x hours/days/months ect. Creating a custom session handler will be your first step. Here's a good start http://www.phpbuilder.com/columns/ying20000602.php3 Once you have your handler built, post here or PM me and I'll help you to get the variable time down. This won't be easy... properly implementing security measures rarely is.

You gotta find a balance. Plain text cookies CAN be sniffed (it's not easy, though)... if your data is important enough, buy an SSL certificate for $100-400/year. With sessions, you can use what's known as session regeneration. A new ID is generated every page request, so unless the user is idle their ID will change several times a minute. This makes sniffing/spoofing very difficult, and social engineering near impossible (by the time the attacker fools the user into giving up their ID, it's changed). This is done with a single function call ( session_regenerate_id() ) And yes, if you create a custom session handler, you can have variable session expiry dates.

Neither is using the 'global' keyword. By giving functions the ability to change variables on the global scope you are creating a debugging nightmare. If a function accidentally over-writes $db_connect, it'll break your whole script... and you'll have to check every function that uses $db_connect globally in order to debug the problem.

I'd avoid using the global keyword. Instead, I'd use the $GLOBALS superglobal to make a copy of the database link identifier to use in the function <pre><?php function clean ( $data ) { // Create a copy of the global resource, this way the function can // never accidentally overwrite the variable if( !isset($GLOBALS['link']) ) return $data; $link = $GLOBALS['link']; //Removes blank spaces at the beginning and at the end of the string $data = trim($data); //If get_magic_quotes_gpc is set, removes the slashes to prepare for mysql_real_escape_string if(get_magic_quotes_gpc()) $data = stripslashes($data); //Escapes the string and returns the now secured data return mysql_real_escape_string($data, $link); } $link = mysql_connect( 'localhost', 'root', '' ); $val = "zomg ' test ' with ' escapes"; echo $val."\n"; $val = clean( $val ); echo $val."\n"; ?></pre>

You're getting it. Sessions allow you to bind more than just the ID to the cookie. A well built session handler will provide an automatic interface between the user's cookie ID and any data you bind to it in a database.

echo $_SESSION['form_data']['get_variable'];

You gotta find a balance. Sadly, if getting it to look a specific way is top priority, it's going to be time-consuming. Using markup to generate printable pages leaves many interpretations and has many variables client-side. The result on one computer could differ significantly than on another. PDF is by far your best bet.

or create a database handling class! <pre><?php class db { private $link; public function __construct( $h, $u, $p, $db ) { if( ($this->link = mysql_connect($h, $u, $p)) === FALSE ) throw new Exception( 'Unable to connect to database!' ); if( mysql_select_db($db, $this->link) === FALSE ) throw new Exception( 'Unable to select database!' ); } public function query( $q ) { if( ($r = mysql_query($q)) === FALSE ) throw new Exception( 'Query failed!<br />'.mysql_error($this->link) ); else return $r; } public function clean ( $data ) { //Removes blank spaces at the beginning and at the end of the string $data = trim($data); //If get_magic_quotes_gpc is set, removes the slashes to prepare for mysql_real_escape_string if(get_magic_quotes_gpc()) $data = stripslashes($data); //Escapes the string and returns the now secured data return mysql_real_escape_string($data, $this->link); } } try { $db = new db( 'localhost', 'root', '', 'database' ); $val = "zomg ' test ' with ' escapes"; echo $val."\n"; $val = $db->clean( $val ); echo $val."\n"; } catch ( Exception $e ) { echo $e->getMessage(); } ?></pre>

$formdata = stripslashes(formdata);

If you want all your sessions to expire in two weeks, no. If you want the user to be able to choose, it gets a bit trickier.