drewbee

A few things here 1) ALWAYS wrap mysql_real_escape_string around ANY variable that goes into your database. This will help protect you from SQL injection; 2) For good coding practicies, always place quotes within your associate arrays IE $_POST, $_REQUEST, $_GET and go like this> $_POST['myvar'] SO SET password = '".mysql_real_escape_string($_REQUEST['newpassword'])."' 3) You are getting that message because you are trying to access variables that are being used without first being created; Depending on your error level this will show or not show. You can either tone down your error reporting level (not recomended), or always define your variables like so: $_REQUEST['newpassword'] = isset($_REQUEST['newpassword']) ? $_REQUEST['newpassword'] : '' This will set the variable $_REQUEST['newpassword'] to an empty string if it does not exist yet. Always place these at the top of the script so the variables can be properly initialized. Good luck

Yeah; I think if you are doing a web design website and expect to attract some customers, your site needs to be 2.0'ish at the least. People love the shiny stuff these days.

Try and split your reponse text up with a delimeter IE comma, pipe etc; value1|value2 then with your javascript response = req.responseText.split('|'); element1.innerHTML = response['0']; element2.innerHTML = response['1']; as always, this is psudo code

Nope; Infact this is what caused my error; I assumed it was the same syntax as error_reporting();

Well depending on what is going on, you can either store them in the $_SESSION variable (just make sure you clear it when you are done), or on the 2nd page use hidden elements ie <input type="hidden" name="first_page_variable" value="{$_POST['first_page_variable']}"> Then on the third page, $_POST['first_page_variable'] will be available for you.

Personally I developed a forms class and love it! I dont have to worry about the rendering, display etc. One thing you may look into well is that for each free text field I require a minimum (or blank) / maximum length. Instead of me writing custom code to validates the data isn't greater then maximum length, it dynamically checks it based on the name. So all I do is create a form element, and the basic validation is there (required, length, data) etc. This helps take out the mundaine recoding of elements and adds basic protection to the form. Then if additional validation is needed, it is added.

Correct. Always define variables before there use. I wish PHP shipped standard with error_reporting(E^ALL) set. This isn't a personal attack on you, because it accounts for a huge percentage of PHP developers who have had no experience with other languages. It is always good practice to initialize variables before use. One technique I use for POST or GET variables is the following: <? $_GET['var'] = isset($_GET['var']) ? $_GET['var'] : ''; ?> This way, if the variable is not set on page load, it will have a default value of '' (empty string)

Check out http://us.php.net/mcrypt Good read on mcrypt

lol, whoops. Doesn't this forum properly convert html? haha

Gotcha: I will verify error_reporting = ^E_ALL and display_errors = on

The textarea passes a new line break on entering; When you are displaying the data entered from the textarea, try wrapping the function nl2br() around the textarea data. This will convert every new line to a <br>

Thanks Rhodesa, this information is very useful.

Hello everyone, I disabled the PHP error handling global PHP option. After turning it back on (recompiling apache) etc, my error messages will only show up if i explicitly set the erroring reporting in the page. Otherwise it seems like the setting isn't taking effect. Does anyone have any tips or areas I may have missed in the PHP config that I left the error reporting turned off elsewhere?

cooldude, Its not hard to figure out; He wants to know how to prevent user enumeration; what is so difficult to understand about this? Personally, I do not know how to keep this from happening; but the basics behind user enumeration is that for every account on a host, you can access the users public_html folder by going to mydomain.com/~username which you can also access mydomain.com/~root Unfortunately, I do not know how to prevent this from happening.

Ok Agent. That should keep you out of the includes folder. Fixed contact.html(Thats what I get for writing code too quickly). Fixed XSS injection from registration email. Fixed project (editing form and submitting) issue. I will need to take a look around at any other drop downs I have. can't really say I validated the majority of them. Thanks for the 232 emails from the contact form btw lol. What tool do you use to do all this checking?

Yeah. I spelled it incorrectly to give it its own kind of name rather then pulling straight dictionary words out. If anything, I can always redirect the correctly spelling to it.

Oh, user enumeration. How does one go about preventing this? I have looked around the internet and have come up with nothing.

Items I need to add before site goes completely live: - ability for user to upload files for projects within project boards - add sitemap.html file

Hello everyone, I am creating a freelance marketplace so to speak. I need testers to run through the processes and verify things are working correctly. (Post Projects, XSS, Injection etc). Whatever your heart desires. The process starts out with registration / account validation and then requiring a correct password. One of the main points that I need tested is the paypal account funding. If you wish to test this, go to control panel -> Add Funds or to withdraw them control panel -> Withdraw funds. If any money is transfered in and for some reason the system doesn't work, fails, or rejects it. Please let me know so I can directly send it back through paypal. As well, just play with the site and break stuff! Oh, I almost forgot, in order to post a project it is a 5.00 fee (which is refunded after project close). To try and stay with the system I would like a few people to test this. As stated before, if something happens, please let me know so I can get your money back to you. http://www.freelancebazar.com

You need to make sure the header call happens before any output is sent to the browser. Headers are sent before the html is rendered out to the browser, thus needing it set before this action happens. In your code above, you have several echo's. Remove them or rearrange things as to not output data so that the header can be set.

xyn, I have never done this. Wont this just display a blank screen for three seconds then redirect?

use header("Location: /placewhereiwanttogo.php"); Below this line add it: <? // Finally, destroy the session. session_destroy(); header("Location: /placewhereiwanttogo.php"); ?>

I do agree with you though akitchin. If a meta refresh is to be used, always make sure their is a link pointing to the same place the refresh is going to. Nothing gurentee's that refresh will take them forward.

I personally can't stand the meta refresh. It generates a little to much overhead for a redirect (ie loading a page, refreshing, then loading another page). It can also be disabled. I prefer using headers as this is done and used before any output is sent to the browser. Yes it will throw an error if output is already sent. This is how headers are, it will throw an error if output is sent and you try and set any other data ie user agent, http-status. This is not just the redirect, but all headers in general. Also, bots can pick up on these redirects and know the information from where it came from as well as where it is going. If you have problems using redirect's in the right place, try coding for the better. For instance, after every single POST and processing takes place on my pages, I issue a header redirect. That way on the next page when the person hits refresh, it doesn't repost the data. When the user hits the back button, they are returned to the original form, rather then to the POSTED TO page. If you need help with these things, I highly recomend looking into output buffering.

I do use exceptions. Sort of. Probobly should use them more though, eh? I wanted to go this route as a sort-of global catch all and anything thats missed within the classes.